Skip to content

fix: Requests are forbidden when AllowListedIPRanges parameter is configured #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: Requests are forbidden when AllowListedIPRanges parameter is configured #35

wants to merge 2 commits into from
+6 −0

Conversation

@maniryu
Copy link

@maniryu maniryu commented Aug 27, 2025
edited
Loading

_Issue #, if available: none

Description of changes:

Fixed to properly handle requests through CloudFront with WAF IP allow list rules

Problem

When configuring the AllowListedIPRanges parameter in the ISB Compute stack, the WAF allowlist rule (IsbAllowListRule) was blocking legitimate requests.
This occurred because the rule was using CloudFront IP addresses for access control instead of the actual client IP addresses.

Solution

  • Added ipSetForwardedIpConfig to the IsbAllowListRule in the WAF configuration
  • Disable IPv6 for CloudFront distribution

@maniryu maniryu marked this pull request as draft August 27, 2025 03:00
@maniryu maniryu closed this Aug 27, 2025
@maniryu maniryu reopened this Aug 27, 2025
maniryu
maniryu commented Aug 27, 2025
View reviewed changes
source/infrastructure/lib/components/cloudfront/cloudfront-ui-api.ts
priceClass: PriceClass.PRICE_CLASS_ALL,
httpVersion: HttpVersion.HTTP2,
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019,
enableIpv6: false,
Copy link
Author

@maniryu maniryu Aug 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWS::CloudFront::Distribution DistributionConfig - AWS CloudFormation
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-distributionconfig.html

In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the IpAddress parameter to restrict the IP addresses that can access your content, don't enable IPv6.

@maniryu maniryu marked this pull request as ready for review August 27, 2025 05:23
@maniryu maniryu changed the title fix: Add X-Forwarded-For config to WAF IP set rule fix: Requests are forbidden when AllowListedIPRanges parameter is configured Aug 27, 2025
@aws-khargita
Copy link
Member

Thanks for opening this PR! Our process requires us to merge code to our internal repository to publish the pre-synthesized cloudformation templates and GH release, unfortunately that means we cannot merge this PR directly in GH. As an OS project we still absolutely encourage devs to submit PRs so I do not want to deter you from contributing further. We will incorporate this into the next release and attribute you with credit in the changelog. Thanks again for contributing!

@aws-khargita aws-khargita added the bug Something isn't working label Sep 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maniryu @aws-khargita