Linode Forum

[hemi]

Hi,

We're looking at putting a couple of LAMP application servers behind a nodebalancer using HTTPS (via the TCP option).

The application will need to determine client IPs in PHP, along the lines of

Code: function ipCheck() {
                if (getenv('HTTP_CLIENT_IP')) {
                        $ip = getenv('HTTP_CLIENT_IP');
                }
                elseif (getenv('HTTP_X_FORWARDED_FOR')) {
                        $ip = getenv('HTTP_X_FORWARDED_FOR');
                }
                elseif (getenv('HTTP_X_FORWARDED')) {
                        $ip = getenv('HTTP_X_FORWARDED');
                }
                elseif (getenv('HTTP_FORWARDED_FOR')) {
                        $ip = getenv('HTTP_FORWARDED_FOR');
                }
                elseif (getenv('HTTP_FORWARDED')) {
                        $ip = getenv('HTTP_FORWARDED');
                }
                else {
                        $ip = $_SERVER['REMOTE_ADDR'];
                }
                return $ip;
        }


Reading this post though: http://forum.linode.com/viewtopic.php?p=42704 I'm wondering if this is actually possible. Can anyone advise?

Thanks

[hoopycat]

With HTTPS through a load balancer, the connection is encrypted end-to-end. There's no way for the load balancer to modify (or even see) the contents, so there's no in-band way for it to communicate the client's actual IP address.

Just because you're paying for the man in the middle doesn't mean he's not a man in the middle :-)

If I had to come up with one possible method to do this right now, it would involve triggering a single, brief, non-blocking HTTPS request directly to a web server under your control (i.e. not load balanced) with an identifier (i.e. a session ID) tying it to the main session. You then have two IP addresses for that session and can eliminate the NodeBalancer one.

Also, based on that code snippet, I'm 99% sure you've never used VHDL. ;-)

[hemi]

Thanks Hoopycat. Looking into possible workarounds now.

And no I've never dealt with VHDL, although the code snippet is copypasta to illustrate the point - I didn't write it.

Cheers.

[Azathoth]

hoopycat wrote:
If I had to come up with one possible method to do this right now, it would involve triggering a single, brief, non-blocking HTTPS request directly to a web server under your control (i.e. not load balanced) with an identifier (i.e. a session ID) tying it to the main session. You then have two IP addresses for that session and can eliminate the NodeBalancer one.

+1

That's what I would do too, except you don't need to bypass the nodebalancer. If your session has no remote IP set, then redirect the user to a plain http URL where the handler will store the IP and redirect back to https.

You can either have a dedicated URL handler or simply put that at the top of the request chain.

[mnordhoff]

Azathoth wrote: +1

That's what I would do too, except you don't need to bypass the nodebalancer. If your session has no remote IP set, then redirect the user to a plain http URL where the handler will store the IP and redirect back to https.

You can either have a dedicated URL handler or simply put that at the top of the request chain.
Except for the fact that that would mean leaving HTTPS. That would be more or less safe for a little Ajax call, but doing a redirect would easily enable SSL stripping attacks.

[Azathoth]

mnordhoff wrote:
Except for the fact that that would mean leaving HTTPS. That would be more or less safe for a little Ajax call, but doing a redirect would easily enable SSL stripping attacks.

Technically, yes, but that could be done regardless. SSL is broken anyways.

[hoopycat]

Azathoth wrote: Technically, yes, but that could be done regardless. SSL is broken anyways.

So is the Internet, but we still use it and work around its foibles.

[funkytastic]

That VHDL reference went over my head. Are we mailing FPGAs to Caker now?

[hoopycat]

The long chain of if/elseif/else squicked my optimization nerve a bit. :-) I started thinking "how could I reimplement that as a mux" before I realized it didn't matter one lick.

(That, and the conditions aren't mutually exclusive.)