Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Identify traffic coming from MRT #1774

Open
johnboxall opened this issue May 5, 2024 · 1 comment
Open

[FEATURE] Identify traffic coming from MRT #1774

johnboxall opened this issue May 5, 2024 · 1 comment

Comments

@johnboxall
Copy link
Collaborator

johnboxall commented May 5, 2024

In stacked CDN setups, or when you're calling controllers or OCAPI, it can be useful to identify traffic originating from MRT such that you can configure firewall rules to allow it.

Today, it is possible to identify traffic that likely came from MRT but requires works to guarantee it.

The most straight forward way to provide some level of security is to inspect incoming HTTP requests for the x-mobify: true request header.

This is present in proxy requests:

https://playground-20x-us-west-1.mobify-storefront-staging.com/mobify/proxy/httpbin/headers
https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/proxying-requests.html#request-and-response-modifications

From there, you can also seek to allow only AWS IPs from the EC2 and CLOUDFRONT_ORIGIN_FACING ranges:

https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#constraints

But this is a rather large set!

$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="EC2" or .service=="CLOUDFRONT") | .ip_prefix' | wc -l
1242

If you must identify requests from MRT, you can move requests to the App Server (ssr.js) and use an environment variable to a shared secret HTTP header ... but the App Server isn't optimized for forwarding requests like proxies are.

https://github.com/salesforceCommerceCloud/pwa-kit/compare/example-using-proxy

Ideally, we'd have some way to add a shared secret to out-going requests from MRT.

@johnboxall
Copy link
Collaborator Author

In some scenarios, we've seen the Storefront zone hosted on eCDN block traffic originating from MRT. To resolve, review your eCDN Allow Lists and Security Settings in Business Manager allowing traffic from MRT:

https://help.salesforce.com/s/articleView?id=cc.b2c_waf_application.htm&type=5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant