Architecture
XFF Headers with Azure Front Door and Azure Application Gateway |
Overview
This blog post is inspired by one of my recent partner engagements where we took a closer look at how XFF headers work with Azure Front Door and Application Gateway in the design. Detailed documentation on Azure front door here and detailed link on HTTP header support here. I've done a another blog on Azure Front door architecture. This blog covers just the XFF headers.
Configuration Snippet:
In the Azure Front door designer, the backend pool is configured with a host header of app1.penguintrails.com and backed host is the application gateway listening on tcp/8080
Front Door Side Configuration |
Application Gateway listener |
Validations:
End User DNS Resolution:
nehali@nn-linux-dev:~$ dig +noall +answer +nocomments nncolorsfd.penguintrails.com
nncolorsfd.penguintrails.com. 60 IN CNAME nncolors.azurefd.net.
nncolors.azurefd.net. 299 IN CNAME t-0001.t-msedge.net.
t-0001.t-msedge.net. 44 IN CNAME Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net.
Edge-Prod-BL2r3.ctrl.t-0001.t-msedge.net. 143 IN CNAME standard.t-0001.t-msedge.net.
standard.t-0001.t-msedge.net. 67 IN A 13.107.246.10
Packet Captures on the Red VM:
Result:
Two comma separated IPs in XFF header! First IP inserted by Azure Front Door and the second IP inserted by the Azure Application Gateway. First IP matches the actual Client IP and the second IP is the IP of the AFD instance.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:8e:22:50 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.4/24 brd 172.16.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20d:3aff:fe8e:2250/64 scope link
valid_lft forever preferred_lft forever
nehali@nn-red-vm:~$
172.16.253.6.38108 > 172.16.2.4.80:
Flags [P.], cksum 0x753a (correct), seq 4622:5672, ack 2808, win 37, options
[nop,nop,TS val 3732356603 ecr 1648501819], length 1050: HTTP, length: 1050
GET / HTTP/1.1
X-FORWARDED-PROTO: http
X-FORWARDED-PORT: 8080
X-Forwarded-For:
71.184.73.96, 147.243.165.11:33844
X-Original-URL: /
Connection: keep-alive
Host: app1.penguintrails.com
X-ORIGINAL-HOST: app1.penguintrails.com
Cache-Control: max-age=0
Via: 1.1 Azure
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-Modified-Since: Thu, 23 Jan 2020
19:14:00 GMT
If-None-Match:
"49-59cd37191e857-gzip"
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122
Safari/537.36 Edg/81.0.416.64
Upgrade-Insecure-Requests: 1
X-Azure-ClientIP: 71.184.73.96
X-Azure-Ref:
0D3KpXgAAAAClQkTCWGMSTpl6RhyH0uXkQk9TMzFFREdFMDQxMAA2NzhjZDdlMi0yMjFlLTQwN2QtOGNmZS1lZTgxMjE0NzU4ZmU=
X-Forwarded-Host:
nncolorsfd.penguintrails.com
X-Azure-RequestChain: hops=1
X-Azure-SocketIP: 71.184.73.96
X-Azure-FDID:
678cd7e2-221e-407d-8cfe-ee81214758fe
12:24:46.973700 IP
(tos 0x0, ttl 64, id 20651, offset 0, flags [DF], proto TCP (6), length 479)
172.16.2.4.80 > 172.16.253.6.38108:
Flags [P.], cksum 0x58fd (incorrect -> 0xf02c), seq 2808:3235, ack 5672, win
501, options [nop,nop,TS val 1648502048 ecr 3732356603], length 427: HTTP,
length: 427
HTTP/1.1 200 OK
Date: Wed, 29 Apr 2020 12:24:46 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Thu, 23 Jan 2020
19:14:00 GMT
ETag: "49-59cd37191e857-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 93
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html
No comments:
Post a Comment