It seems it becomes necessary that the allow: rule includes the IP of the AWS LBs, since they always become the RemoteAddr, however, this is especially painful for public LBs since those change to whatever IP at random, given:
For HTTP requests the client RemoteAddr is always validated followed by all elements of the X-Forwarded-For header, if present. When all of these elements match an allow the request will be allowed; similarly when any element matches a deny the request will be denied.
We have an unfortunate URI based routing complexity where some routes should only allow "internal" traffic, but most everything else should be public. This requires Fabio to be fronted by a public facing LB. For certain paths, we want only a defined set of IPs access, but because the access control requires the LB's IP, which is always changing, this definition becomes impossible without allowing the entirety of AWS owned IPs.
Is there a way to disable the RemoteAddr check and instead just look to see if any IPs match in X-Forwarded-For, or possibly apply OR logic instead of AND?
It seems it becomes necessary that the
allow:rule includes the IP of the AWS LBs, since they always become theRemoteAddr, however, this is especially painful for public LBs since those change to whatever IP at random, given:We have an unfortunate URI based routing complexity where some routes should only allow "internal" traffic, but most everything else should be public. This requires Fabio to be fronted by a public facing LB. For certain paths, we want only a defined set of IPs access, but because the access control requires the LB's IP, which is always changing, this definition becomes impossible without allowing the entirety of AWS owned IPs.
Is there a way to disable the
RemoteAddrcheck and instead just look to see if any IPs match inX-Forwarded-For, or possibly apply OR logic instead of AND?