5

I developed an AWS Lambda Proxy using Serverless in order to call a private API, process its result and return it.

It's simple enough, though the private API does not return anything once "X-Forwarded-For" is set in the HTTP request.

I haven't found a way to blacklist this header in CloudFront, nor in CloudFormation or API Gateway.

Where should I look for?

For reference, the serverless.yml I use:

service: mylambda
provider:
  name: aws
  runtime: java8
  memorySize: 1024
  timeout: 240
package:
  artifact: target/awslambda-1.0-SNAPSHOT.jar
functions:
  leboncoinlist:
    handler: com.example.awslambda.handler.HttpRequestHandler
    events:
        - http:
            path: list
            method: post
            cors: true
Captain H.
  • 538
  • 1
  • 5
  • 13
  • Is API Gateway using Lambda proxy or Lambda integration? – K Mo Jul 11 '18 at 07:14
  • Oh right, I forgot to specify it's a Lambda Proxy – Captain H. Jul 11 '18 at 09:29
  • Using Lambda Proxy means that the whole message (including all headers) are passed directly to Lambda. You'd have to move to Lambda integration with body mapping to stop this header being passed in. I think you may be tackling the problem in the wrong way though. Instead of trying to stop the header being passed in, why don't you check your lambda code to figure out why an additional header is causing it to fail, then fix it. – K Mo Jul 12 '18 at 07:25
  • I'm actually calling an HTTP endpoint that's not mine from my Lambda using Apache's HTTP Client. Trouble is, Amazon appends unwanted headers to this outgoing call and I have no control over this in my lambda's code. – Captain H. Jul 12 '18 at 08:58
  • Sorry, I misunderstood your question, although now I'm more confused. Are you saying that the x-forward-for value that gets appended to the incoming API request through your API Gateway endpoint is getting passed to the private API you are calling from lambda? If so, that is still an issue with your code in Lambda. – K Mo Jul 12 '18 at 09:10
  • You made me realize that the Apache HTTP Client I use comes from the AWS SDK lib. Though, running locally the same code using the same dependencies, the "X-Forwarded-For" header is not sent, so it must be added by AWS's infrastructure. – Captain H. Jul 12 '18 at 13:19

2 Answers2

2

Amazon Lambda does not allow the setting of X-Forwared-* headers. It is already a part of the blacklisted headers. If you were to set it as a part of your Lambda function, the default behaviour of CloudFront is that the request fails CloudFront validation. CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

See the following link for more on list of blacklisted headers: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-requirements-limits.html#lambda-cloudfront-star-headers

If you want CloudFront to add any of the CloudFront-* headers, you must configure CloudFront to cache based on these headers. For information about configuring CloudFront to cache based on specified headers, see this link for more: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesForwardHeaders

Please note that for viewer events, CloudFront-Viewer-Country is blacklisted. Blacklisted headers aren't exposed and can't be added by Lambda@Edge functions. If your Lambda function adds a blacklisted header, the request fails CloudFront validation, and CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer.

Hope this helps.

nikhil jhaveri
  • 21
  • 2
  • I don't believe *all* of the X-Forwarded-* headers are blacklisted, according to the documentation only X-Forwarded-Proto is blacklisted. – Erica Kane Dec 21 '18 at 23:59
0

Are you using leboncoin.fr's API? If so, it seems they use datadome to enable bot-protection, which would explain where this header is set and why the API blocks your request then.

Halko Karr-Sajtarevic
  • 2,248
  • 1
  • 16
  • 14