Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #13174
Closed (moved) (moved)
Open
Created Sep 16, 2014 by David Fifield@dcf

Amazon CloudFront sets X-Forwarded-For

Amazon sets the X-Forwarded-For header that contains the client's true IP. Here's what the header looks like as it arrives at meek-server:

POST / HTTP/1.1
Host: d1727xplrgzao3.cloudfront.net
Via: 1.1 c54d7f08e2f3dab1918454910cc8aad0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4ygWFdM8S5fIh-pnW7BK7hKsA7vv6tba-G30YwVHLCXT2Kblcl_yDw==
Connection: Keep-Alive
Content-Length: 244
Accept-Encoding: gzip, deflate
X-Forwarded-Proto: https
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
X-Forwarded-For: 192.0.2.101
CloudFront-Is-Mobile-Viewer: false
CloudFront-Is-Tablet-Viewer: false
CloudFront-Is-Desktop-Viewer: true
CloudFront-Viewer-Country: US
Accept-Language: en-US,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
CloudFront-Forwarded-Proto: https
X-Session-Id: FHY4jxw72uodLxdRbrFtqRMnBbMxoa5USSuLj1pzh4w=
Content-Type: application/octet-stream

From a censorship point of view, the presence of the client IP address doesn't make a difference, because the request is out of the censor's view by the time the IP is visible. From a surveillance point of view, it doesn't really increase the exposure of clients over ordinary bridges or other transports, because someone surveilling one of those bridges also gets a list of client IPs. But if we can hide the IP on the link between the CDN and meek-server, then we can be in an even better situation with respect to surveillance.

Previously we didn't enable HTTPS on the link between App Engine and meek-server because it [comment:6:ticket:10935 increased latency]. That was for App Engine, though, not Amazon, and HTTPS is not as slow anymore with optimizations made in newer Go releases. (Now it's about 300 ms with HTTPS and 100 ms without.)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking