When I was new to AWS, I faced an interesting challenge while working on a task to digitally sign a document, which required the client's IP as part of the e-signature. Initially, I was thrilled when the implementation seemed to work perfectly the first time. However, my excitement was short-lived. During testing, I noticed that the same IP address was being returned, even when I accessed the application from different machines. It was then that I realized the IP address I was receiving was not the actual client IP but the IP of the load balancer.
This discovery led me down a path of investigation and learning. I had to dig deeper to understand what was happening and how to retrieve the real client IP. In this blog, I will share my experience and provide a comprehensive guide on how to achieve this using AWS Lambda and Python, ensuring you can accurately capture the client’s IP address when using an Application Load Balancer (ALB).
When a client makes a request to your application through an ALB, the load balancer acts as an intermediary. Consequently, the IP address your application sees is that of the ALB, not the client's. To address this, ALB includes the client's IP in the X-Forwarded-For HTTP header. This header can contain multiple IP addresses in case the request has passed through multiple proxies.
Here's what we need to handle:
Extract the Client IP: Retrieve and parse the X-Forwarded-For header.
Handle Multiple IPs: Ensure that we get the correct client IP even when multiple proxies are involved.
The X-Forwarded-For header should be used with caution due to potential security risks. The entries can only be considered trustworthy if added by systems that are properly secured within the network. This ensures that the client IPs are not tampered with and are reliable.
AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Python, with its simplicity and readability, is an excellent choice for handling this task within a Lambda function.
AWS Lambda Function: The core function that processes incoming requests.
Application Load Balancer (ALB): The load balancer that forwards requests to the Lambda function.
First, ensure your Lambda function is set up and integrated with an ALB. Follow AWS's official guide if needed: Using Lambda functions as targets for Application Load Balancer.
Let's dive into the Python code for the Lambda function. This function will extract the client's IP address from the X-Forwarded-For header.
import json def lambda_handler(event, context): # Extract the 'X-Forwarded-For' header x_forwarded_for = event['headers'].get('x-forwarded-for') if x_forwarded_for: # The first IP in the list is the client's IP client_ip = x_forwarded_for.split(',')[0] else: # Fallback if header is not present client_ip = event['requestContext']['identity']['sourceIp'] # Log the client IP print(f"Client IP: {client_ip}") # Respond with the client IP return { 'statusCode': 200, 'body': json.dumps({'client_ip': client_ip}) }
Extract the Header: Retrieve the X-Forwarded-For header from the incoming request.
Parse the Header: Take the first IP, which represents the client's original IP.
Fallback Mechanism: Use the source IP from the request context if the header is not present.
Logging and Response: Log and return the client's IP for verification.
Request:
{ "headers": { "x-forwarded-for": "203.0.113.195, 70.41.3.18, 150.172.238.178" }, "requestContext": { "identity": { "sourceIp": "70.41.3.18" } } }
Response:
{ "client_ip": "203.0.113.195" }
Identifying the actual client IP in an AWS Lambda function behind an ALB requires careful handling of the X-Forwarded-For header. This approach ensures accurate IP logging and enhances the application's ability to personalize and secure user interactions.
AWS ALB Documentation:
Python in AWS Lambda:
HTTP Headers Explained
The above is the detailed content of Getting the Actual Client IP When Using Application Load Balancer (ALB) in AWS Lambda. For more information, please follow other related articles on the PHP Chinese website!