Gin framework (for Go) strongly suggest that it's unsafe to "trust all proxies". If I understand the doc's correctly this impacts special HTTP headers like X-Forwarded-For which is used to resolve client IP when service is behind a proxy/load-balancer. Basically it tells Gin if context.ClientIP() should return the regular client IP header or the X-Forwarded-For list of IP's.
We host our App on AWS EC2 instances with an Application Load Balancer (ALB) managing incoming requests. No public access is allowed directly to the instances, all request go through ALB.
Retrieving client IP from X-Forwarded-For is of value to us for several reasons, but I'm not sure which is the correct way to configure this. There are two options in Gin;
Engine.SetTrustedProxies()see doc'sEngine.SetTrustedPlatform()
If I set Engine.SetTrustedProxies(nil) no attempt to get X-Forwarded-For is made.
SetTrustedPlatform() allows me to pass Client IP as a custom named header, which would be redundant since ALB already has a option for appending X-Forwarded-For.
So I guess my question is this, how do I identify our ALB as a trusted proxy? It need's to be a IPv4/IPv6 or corresponding CIDR's.
One possibility is to use the ALB "integrated service" called "Global Accelerator" which seems to attach a fixed IP as entry point to the ALB, however I'm not sure that IP is the actual IP that Gin sees as the proxy. Also, it seems a bit excessive for such a simple task.
Another approach is to disregard Gin's warning about trusting all proxys. Since there is no public access to EC2 instances, it should be somewhat risk free. Or am I missing something?
Is there a good way of identifying an ALB as a trusted proxy in this setup?
All input is appreciated, thanks
EDIT;
After talking to AWS support about this it seems that Global Accelerator is not the way to go. It only attach a fixed IP for incoming traffic. The load balancer/proxy IP can still change over time and can not be used as a trusted identifier.
