Cloudfront 是否可以配置为在传递到源之前清除传入请求中的所有 IP 地址?
Can Cloudfront be configured to scrub all IP addresses from the incoming request before passing to the origin?
出于合规原因,我们无法在我们的应用程序中收集或处理 IP 地址。乍一看,新的(大概)Cloudfront Functions 似乎能够完成所需的工作。 https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/
是否可以完全删除传入的 IP 地址,使其即使在 X-Forwarded-For header(或任何其他字段)中也不可见?如本文所示:
If a viewer sends a request to CloudFront and does not include an X-Forwarded-For request header, CloudFront gets the IP address of the viewer from the TCP connection, adds an X-Forwarded-For header that includes the IP address, and forwards the request to the origin.
因此所有请求都将在 X-Forwarded-For header 中显示 IP 地址。有没有办法禁用它?
Cloudfront Functions 可以 运行 在 Viewer Request 阶段修改传入请求 headers,但是当请求通过时,客户端 IP 仍将附加到 X-Forwarded-For回到原点。
但是,您可以在 Origin Request 阶段使用 Lambda@Edge 来修改发送到源的 headers(例如删除 X-Forwarded-For)。
这是 Node.js 中的样子:
exports.handler = async (event, context) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
delete request.headers['x-forwarded-for'];
return request;
};
或者如果你想加扰IP的最后一部分:
exports.handler = async (event, context) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
request.headers['x-forwarded-for'] = [{
key: 'X-Forwarded-For',
value: request.clientIp.replace(/\w+$/, '0')}];
return request;
};
如果需要,这当然可以扩展到其他 headers。
出于合规原因,我们无法在我们的应用程序中收集或处理 IP 地址。乍一看,新的(大概)Cloudfront Functions 似乎能够完成所需的工作。 https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/
是否可以完全删除传入的 IP 地址,使其即使在 X-Forwarded-For header(或任何其他字段)中也不可见?如本文所示:
If a viewer sends a request to CloudFront and does not include an
X-Forwarded-Forrequest header, CloudFront gets the IP address of the viewer from the TCP connection, adds an X-Forwarded-For header that includes the IP address, and forwards the request to the origin.
因此所有请求都将在 X-Forwarded-For header 中显示 IP 地址。有没有办法禁用它?
Cloudfront Functions 可以 运行 在 Viewer Request 阶段修改传入请求 headers,但是当请求通过时,客户端 IP 仍将附加到 X-Forwarded-For回到原点。
但是,您可以在 Origin Request 阶段使用 Lambda@Edge 来修改发送到源的 headers(例如删除 X-Forwarded-For)。
这是 Node.js 中的样子:
exports.handler = async (event, context) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
delete request.headers['x-forwarded-for'];
return request;
};
或者如果你想加扰IP的最后一部分:
exports.handler = async (event, context) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
request.headers['x-forwarded-for'] = [{
key: 'X-Forwarded-For',
value: request.clientIp.replace(/\w+$/, '0')}];
return request;
};
如果需要,这当然可以扩展到其他 headers。