How to verify XFF_IP is from a known Proxy or CDN while enforcing key in Google Cloud Armor Security Policy?

Aviral Srivastava

7/24/24, 1:50 PM

I'm currently working on a project where I want to apply rate limiting at the load balancer level to each user's IP address. The idea is to throttle any user that crosses a certain request limit in a given unit of time.

Note: I am using Google Cloud Armor.

The architecture involves a CDN in front of the load balancer. As I understand it, when using a CDN, the IP address that my load balancer sees for incoming requests is the CDN's IP, not the original client's IP.

I've already tried using XFF_IP for rate limiting and it seems to be working as expected. However, I'm not sure how to safeguard against potential spoofing of the XFF header. Any insights or recommendations would be appreciated.

I read Pulumi's documentation to gain understanding of the different keys I can enforce. XFF_IP is known to be faulty.

What measures can I take to prevent spoofing of the XFF header and ensure accurate rate limiting?

0 + 0

networking

rate-limiting

google-cloud-platform

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to verify XFF_IP is from a known Proxy or CDN while enforcing key in Google Cloud Armor Security Policy?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.