Monday, March 23, 2020

XFF headers with Azure Front Door

Architecture

XFF Headers with Azure Front Door and Azure Application Gateway

Overview

This blog post is inspired by one of my recent partner engagements where we took a closer look at how XFF headers work with Azure Front Door and Application Gateway in the design.  Detailed documentation on Azure front door here and detailed link on HTTP header support here.  I've done a another blog on Azure Front door architecture. This blog covers just the XFF headers.


Configuration Snippet:

In the Azure Front door designer, the backend pool is configured with a host header of app1.penguintrails.com and backed host is the application gateway listening on tcp/8080

Front Door Side Configuration

Application Gateway listener


Validations:


End User DNS Resolution:

nehali@nn-linux-dev:~$ dig +noall +answer +nocomments  nncolorsfd.penguintrails.com
nncolorsfd.penguintrails.com. 60 IN     CNAME   nncolors.azurefd.net.
nncolors.azurefd.net.   299     IN      CNAME   t-0001.t-msedge.net.
t-0001.t-msedge.net.    44      IN      CNAME   Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net.
Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net. 143 IN CNAME standard.t-0001.t-msedge.net.
standard.t-0001.t-msedge.net. 67 IN     A       13.107.246.10


Host Header: app1.penguintrails.com

Packet Captures on the Red VM:

Result:
Two comma separated IPs in XFF header! First IP inserted by Azure Front Door and the second IP inserted by the Azure Application Gateway. First IP matches the actual Client IP and the second IP is the IP of the AFD instance.


nn-red-vm:~$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:8e:22:50 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.4/24 brd 172.16.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe8e:2250/64 scope link
       valid_lft forever preferred_lft forever

nehali@nn-red-vm:~$


    172.16.253.6.38108 > 172.16.2.4.80: Flags [P.], cksum 0x753a (correct), seq 4622:5672, ack 2808, win 37, options [nop,nop,TS val 3732356603 ecr 1648501819], length 1050: HTTP, length: 1050
        GET / HTTP/1.1
        X-FORWARDED-PROTO: http
        X-FORWARDED-PORT: 8080
        X-Forwarded-For: 71.184.73.96, 147.243.165.11:33844
        X-Original-URL: /
        Connection: keep-alive
        Host: app1.penguintrails.com
        X-ORIGINAL-HOST: app1.penguintrails.com
        Cache-Control: max-age=0
        Via: 1.1 Azure
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        If-Modified-Since: Thu, 23 Jan 2020 19:14:00 GMT
        If-None-Match: "49-59cd37191e857-gzip"
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64
        Upgrade-Insecure-Requests: 1
        X-Azure-ClientIP: 71.184.73.96
        X-Azure-Ref: 0D3KpXgAAAAClQkTCWGMSTpl6RhyH0uXkQk9TMzFFREdFMDQxMAA2NzhjZDdlMi0yMjFlLTQwN2QtOGNmZS1lZTgxMjE0NzU4ZmU=
        X-Forwarded-Host: nncolorsfd.penguintrails.com
        X-Azure-RequestChain: hops=1
        X-Azure-SocketIP: 71.184.73.96
        X-Azure-FDID: 678cd7e2-221e-407d-8cfe-ee81214758fe

12:24:46.973700 IP (tos 0x0, ttl 64, id 20651, offset 0, flags [DF], proto TCP (6), length 479)
    172.16.2.4.80 > 172.16.253.6.38108: Flags [P.], cksum 0x58fd (incorrect -> 0xf02c), seq 2808:3235, ack 5672, win 501, options [nop,nop,TS val 1648502048 ecr 3732356603], length 427: HTTP, length: 427
        HTTP/1.1 200 OK
        Date: Wed, 29 Apr 2020 12:24:46 GMT
        Server: Apache/2.4.29 (Ubuntu)
        Last-Modified: Thu, 23 Jan 2020 19:14:00 GMT
        ETag: "49-59cd37191e857-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 93
        Keep-Alive: timeout=5, max=92
        Connection: Keep-Alive
        Content-Type: text/html

No comments: