This repository has been archived by the owner on Feb 25, 2022. It is now read-only.
Hide Client IP address from Actions? #562
Labels
question
Further information is requested
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
While looking at our Coralogix logs, I saw this Googlebot visit to helix-static:
{ "level": "info", "ow": { "activationId": "be6e21fa3c924126ae21fa3c92912645", "actionName": "/helix/helix-services/dispatch@4.0.5", "transactionId": "ae266f23-7ab5-369f-83cc-5f2490d54ea4" }, "cdn": { "url": "https://theblog--adobe.hlx.page/footer.plain.html" }, "message": "[4] Action: fb53660b8f84df4df216593b048ed09f9ce38fcc/hlx--static", "actionOptions": { "name": "fb53660b8f84df4df216593b048ed09f9ce38fcc/hlx--static", "params": { "path": "/404.html", "plain": true, "__ow_headers": { "accept": "text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8", "authorization": "[undisclosed secret]", "cdn-loop": "Fastly, Fastly, Fastly, Fastly, Fastly, Fastly", "connection": "close", "fastly-client": "1", "fastly-client-ip": "66.249.73.232", "fastly-ff": "d/pSKZ8rlnWKwhuqLlOfEaT6D8DNve05rythR5w/Q5M=!DFW!cache-dfw18657-DFW, d/pSKZ8rlnWKwhuqLlOfEaT6D8DNve05rythR5w/Q5M=!DFW!cache-dfw18627-DFW, d/pSKZ8rlnWKwhuqLlOfEaT6D8DNve05rythR5w/Q5M=!BWI!cache-bwi5122-BWI, d/pSKZ8rlnWKwhuqLlOfEaT6D8DNve05rythR5w/Q5M=!BWI!cache-bwi5147-BWI, Lu93u9r/N97Ej+BINSy2/RNtT+0/QKua+B+1EfHKboA=!BWI!cache-bwi5050-BWI, Lu93u9r/N97Ej+BINSy2/RNtT+0/QKua+B+1EfHKboA=!BWI!cache-bwi5140-BWI", "fastly-force-shield": "yes", "fastly-orig-accept-encoding": "gzip", "fastly-ssl": "1", "from": "googlebot(at)googlebot.com", "hlx-forwarded-host": "blog.adobe.com, blog.adobe.com, theblog--adobe.hlx.page", "host": "controller-a", "perf-br-req-in": "1596785439.890", "redirect-to": "/en/2016/05/19/introducing-adobe-spark.html", "user-agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "x-cdn-request-id": "ae266f23-7ab5-369f-83cc-5f2490d54ea4", "x-cdn-url": "https://theblog--adobe.hlx.page/footer.plain.html", "x-dispatch-nocache": "true", "x-dispatch-version": "v4", "x-encoded-params": "", "x-esi": "1", "x-forwarded-for": "66.249.73.232, 157.52.86.27, 157.52.99.47, 157.52.99.40, 10.250.206.251", "x-forwarded-host": "adobeioruntime.net", "x-forwarded-port": "443", "x-forwarded-proto": "https", "x-forwarded-server": "cache-dfw18657-DFW, cache-bwi5122-BWI, cache-bwi5050-BWI", "x-from-edge": "1596785439,BWI,0x22ac204d80880b157a0ce9e4723226f64eeef6d0f99d33da7de81d19e38c2c33", "x-fulldirname": "/", "x-old-url": "/footer.plain.html", "x-real-ip": "10.250.206.251", "x-repo-root-path": "", "x-request-id": "ae266f23-7ab5-369f-83cc-5f2490d54ea4", "x-strain": "default", "x-timer": "S1596785437.477904,VS0,VS0,VS0", "x-topurl": "/en/publish/2016/05/19/introducing-adobe-spark.html", "x-trace": "vcl_recv; hlx_recv_init; hlx_strain(resolved); hlx_block_recv; hlx_deny; hlx_allow; hlx_determine_request_type(none); hlx_type_dispatch; hlx_owner; hlx_repo; hlx_ref; hlx_root_path; hlx_index; hlx_github_static_owner; hlx_github_static_repo; hlx_github_static_ref; hlx_github_static_root(/htdocs); hlx_action_root; vcl_hash(theblog--adobe.hlx.page/footer.plain.html)", "x-varnish": "2955189010", "x-version": "385; src=385; cli=6.1.9; rev=online" }, "__ow_method": "get", "owner": "adobe", "repo": "helix-pages", "ref": "39430ac97ada5b011835f66e42462b94a3112957", "root": "/htdocs", "branch": "master" } }, "timestamp": "2020-08-07T07:30:39.993026669Z" }It seems like we pass the client IP address in the
x-forwarded-forandfastly-client-ipheaders. Ironically, thex-real-ipheader set by runtime is not the real client IP, but a Fastly IP address.I would suggest masking the client IP address hard so that it won't get passed into customer actions where it might get logged by accident.
The text was updated successfully, but these errors were encountered: