← Back to context

Comment by alright2565

1 day ago 

    x_forwarded_for = headers.get("X-Forwarded-For")
    if x_forwarded_for is None:
        x_forwarded_for = ipaddress.IPv4Address._string_from_ip_int(
            randint(0, MAX_IPV4)
        )

lol

7 comments

alright2565

Reply
marcusb  1 day ago

The original author claims this is to prevent API gateway from leaking the true client IP.

  • timewizard  1 day ago

    To be fair the code actually creates a new API gateway server that acts as a proxy on to an already existing server and you're possibly meant to use this header with your own gateway service.

    So, it's set as a header, sent to a user owned proxy, then to the actual external endpoint.

    On the other hand I think the receiving API Gateway will be able to see and log your AWS account identifier when you do this. So your IP may not be the only identifying information that needs to be obscured for this to actually work.

    • marcusb  7 hours ago

      The original code is explicit as to the intended purpose:

              # Auto generate random X-Forwarded-For if doesn't exist.
        # Otherwise AWS forwards true IP address in X-Forwarded-For header
        x_forwarded_for = request.headers.get("X-Forwarded-For")
        if x_forwarded_for is None:
            x_forwarded_for = ipaddress.IPv4Address._string_from_ip_int(randint(0, MAX_IPV4))

 The DOGE guy just stripped the comments out.

    • icedchai  21 hours ago

      The code seems like a "creative" use of API gateway to turn it into a proxy for other external sites (single site, really, since you need one per site.) Wouldn't it be simpler to send the requests through a lambda (with a function URL) and get better control of the outbound requests?

      3 replies →