0

I have an EC2 instance with multiple IPs assigned to it. I use IPs for different sites on the same server, it seems that EC2 instance uses the same IP for outgoing traffic.

For instance when I use curl to investigate my IP address using the proxy it gives me the public address not the one I used as proxy.

curl -x 52.4.95.169:3128 https://api.ipify.org/ # 52.4.95.169 is a an elastic IP assigned to the instance
34.12.45.235 # This is the response, the primary instance IP

This essentially defy the purpose of using elastic IPs for me, for security reasons I can't let anyone know that site-A and site-B on the same server.

Is there some way to use different IP for outgoing requests or I must create new instance for each site?

John Doe
  • 3
  • 3
  • Is your webserver configured to listen to all interfaces for all vhosts or do you specify to listen to different IPs depending on the vhost? – Federico Galli Jun 15 '17 at 08:11
  • I have one interface only, this is what I have in my `/etc/rc.local` `ip addr add 10.0.0.22/20 dev eth0`, one line for each IP. – John Doe Jun 15 '17 at 08:27
  • How do you add those multiple addresses? On EC2 you cant' add two Elastic IPS to the same istance and you can own a maximum of 5. Are you usin ELB? – Federico Galli Jun 15 '17 at 09:32
  • I have a t2.large instance. I create an Elastic IP and assign it to a private IP then add it to the server by the previous command `ip addr add 10.0.0.22/20 dev eth0`. – John Doe Jun 15 '17 at 16:12
  • And what about the second ip? You mean the ephimeral base ip of the instance? – Federico Galli Jun 15 '17 at 16:20
  • Assuming your policy routing configuration is correct, it should be `curl --interface x.x.x.x ...` where x.x.x.x is the private IP that is mapped to the EIP. – Michael - sqlbot Jun 15 '17 at 16:55
  • @FedericoGalli yes, all ips work normally except outgoing traffic going from the instance default public IP. – John Doe Jun 15 '17 at 19:15
  • @Michael-sqlbot How about public traffic, how do I allow them to use another interface? – John Doe Jun 15 '17 at 19:15

1 Answers1

2

Whenever an outbound connection is established, unless the connection is explicitly told to open on a specific network interface, it will open on the "default" interface.

curl -x is not the command to use to specify a network interface. The -x command specifies a proxy to tunnel the connection through.

In your curl -x example, your connection is proxying through your own EC2 instance, but all on the "default" interface.

So you want to use the --interface parameter instead of -x. This tells curl to open the outbound connection on that interface rather than the default one.

You can use the network interface name:

  • curl --interface eth0
  • curl --interface eth1

or you can use the network interface's private IP address.

  • curl --interface 10.0.0.1
  • curl --interface 10.0.0.2

You cannot use the public IP address.

Update From Comments:

The original poster was using Squid to proxy requests. This article helped the user configure squid to proxy according to his requirements.

Setup squid to use multiple outgoing IP addresses

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • That magically worked. But how about using it outside of the EC2 machine? Like when using a proxy I have to use the public IP then it would use the instance default interface. How to route the traffic for each IP separately. – John Doe Jun 15 '17 at 19:05
  • That would be done as part of your proxy software configuration. – Matt Houser Jun 15 '17 at 19:06
  • What do you mean? Proxy configuration is not the issue here. The curl command was for testing only, if I use the same curl command from my desktop replacing the private IP with the public IP it will get the same first result no matter what IP I use. That was my main question, how to set outgoing traffic based on IP address, Just like when using another EC2 machine. – John Doe Jun 15 '17 at 19:12
  • 1
    There is no "one fits all" solution to that. I understand you want `ip1 in -> EC2 -> ip1 out` and `ip2 in -> EC2 -> ip2 out`. But making that happen depends on whatever software you have running on your EC2 instance that's making those outbound connections. That software needs to pay attention to the incoming interface and open outbound connections accordingly. – Matt Houser Jun 15 '17 at 19:38
  • I found this [answer](https://unix.stackexchange.com/a/111423) suggesting to use `iproute2` but his answer is a bit vague for me. Lets say my main private IP is 10.0.0.94 and Elastic IP belongs to 10.0.0.21, can you please elaborate if you have experience with it? – John Doe Jun 15 '17 at 20:13
  • I don't have experience with `iproute2`. But reading, they're trying to round robin the outgoing connections among the available interfaces. Your problem is that you want the outgoing connections to be based on the incoming connections. It's different since, generally speaking, network connections are not related to one another. It may help to know the software you are running on your EC2 instance that is making these outgoing connections. – Matt Houser Jun 15 '17 at 20:18
  • For proxy I use squid. – John Doe Jun 15 '17 at 20:38
  • Then you should look at your squid configuration to see if it can do what you want. Otherwise, try a different proxy. – Matt Houser Jun 15 '17 at 20:54
  • Thank you. I've found a hint on using `tcp_outgoing_address` config variable, I will try to get it work, I appreciate the help. – John Doe Jun 15 '17 at 21:02
  • I finally got it work thanks to your advice. [Here's](https://linuxaria.com/pills/setup-squid-to-use-multiple-outgoing-ip-addresses) the article, please include it in your answer for future reference. – John Doe Jun 15 '17 at 23:54