2

For compliance reasons, we are not able to collect or process IP addresses in our application. With an initial look, it seems that the new(ish) Cloudfront Functions might be able to do what is needed. https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/

Can the incoming IP addresses be removed entirely so that is not visible even in the X-Forwarded-For header (or any other field) to the origin? As shown in this article:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomIPAddresses

If a viewer sends a request to CloudFront and does not include an X-Forwarded-For request header, CloudFront gets the IP address of the viewer from the TCP connection, adds an X-Forwarded-For header that includes the IP address, and forwards the request to the origin.

Therefore all requests will have the IP address visible in the X-Forwarded-For header. Is there a way to disable this?

Mridang Agarwalla
  • 43,201
  • 71
  • 221
  • 382

1 Answers1

3

Cloudfront Functions can run at the Viewer Request stage to modify incoming request headers, however the client IP will still be appended to X-Forwarded-For when a request is passed on to the origin.

You can however use Lambda@Edge in the Origin Request stage to modify the headers sent to the origin (e.g. delete X-Forwarded-For).

Here is how that would look in Node.js:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;
    
    delete request.headers['x-forwarded-for'];
    return request;
};

Or if you want to scramble the last part of the IP:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;
    
    request.headers['x-forwarded-for'] = [{
        key: 'X-Forwarded-For',
        value: request.clientIp.replace(/\w+$/, '0')}];
    return request;
};

This could of course be extended to other headers if needed.

pjoe
  • 186
  • 1
  • 7