X-Forwarded-For in Cloudfront logs

danisola · August 11, 2016, 11:14am

Hello Snowplowers,

I have recently discovered something that puzzled me: doing the request from a client to a Cloudfront collector and to a Scala Stream collector would result in different user_ipaddress fields after enriching the events.

I checked the contents of both the Cloudfront log line and the Thrift event and found that both had the x-forwarded-for field/header set.

After digging into the source code, I think I found the reason. The ThriftLoader used to load events from the Scala Stream collector uses the x-forwarded-for header to determine the user’s IP, but the CloudfrontLoader ignores the x-forwarded-for field from the log line.

Am I missing something? Would you accept PRs to make CloudfrontLoader use the x-forwarded-for field?

Regards,
Dani

ecoron · August 11, 2016, 12:48pm

I think you are right,
there are some fields added to the cloudfront log, since 29 Apr 2014:

x-forwarded-for
ssl-protocol
ssl-cipher
x-edge-response-result-type
cs-protocol-version

alex · August 11, 2016, 1:09pm

Hi both, good catch @danisola - yes a PR sounds good!

Topic		Replies	Views
X-Forwarded-For vs forwarded headers for user_ipaddress Enrichment	4	1628	October 27, 2022
User_ipaddress field is 2405 Snowplow Mini	11	1978	April 20, 2018
Collector only accepting request from particular domain For engineers	4	1150	September 18, 2020
POST data from CloudFront Collector Collectors	5	2386	May 16, 2016
Does Snowplow support HTTPS? Should data only be sent via HTTPS? Collectors	4	1595	August 25, 2017

X-Forwarded-For in Cloudfront logs

Related Topics