Localhost Loopback Protection
The behavior allows you to secure requests that come to your hostnames via the loopback IP addresses, also known as localhost.
Why you need it
Akamai's servers use the loopback IP address, also known as localhost, as a routing mechanism for certain functionality. Localhost is an internal address used for self-communication which allows a server to communicate with itself, without sending data packets across a network.
You can set up your properties to make localhost requests to hostnames defined on Akamai. For example, the following requests use localhost:
- EdgeWorkers subrequests to a hostname defined on Akamai.
- So-called '2-tree' requests, where the origin server defined in a property is a hostname defined on Akamai.
The hostname that receives these requests sees the incoming client IP address as localhost.
Requests made from a property through localhost to a hostname defined on Akamai may bypass some of the security functionality implemented for that hostname using either security products (for example WAF) or delivery features (for example the Request Control cloudlet), because they are executed within a single Akamai server.
It is possible for one customer A to make a request from their property via localhost to a hostname belonging to a different customer B. This is called a 'cross account' localhost request.
How it works
This behavior allows you (Customer B in the above scenario) to explicitly allow or deny cross-account incoming localhost requests from 'source' customer A.
All incoming localhost requests to your hostnames from properties in your account are always allowed. This behavior only applies to localhost requests from other accounts.
You can add this behavior to do any of the following:
- Deny all incoming cross-account localhost requests to hostname(s) on your property. This is the default option.
- Allow all cross-account incoming localhost requests to hostname(s) on your property. This is not recommended.
- Allow incoming cross-account localhost requests to hostname(s) on your property only from certain specific other accounts. The requests incoming from any other accounts are denied.
If you don’t add this behavior, all incoming localhost requests from other customers are denied.
To specify customer accounts from which you want to allow localhost requests, you must directly contact the other customer and request their Virtual Customer Domain (VCD). VCD is a numeric string, available in the Property Version Information section for your property, which we use internally to identify customer accounts. You can then add this VCD in the list of the allowed customers.
Features and options
| Field | What it does |
|---|---|
| Loopback Cross-Account Policy | Specifies whether localhost requests to hostnames on this property are allowed from other accounts. The Allow option allows all requests from any customer account to your account. The Deny option blocks all requests from any customer to your account. Optionally you can specify an exception list of Virtual Customer Domain (VCD) IDs identifying customers who are allowed to make localhost requests to hostnames on this property. |
| Allowed VCD IDs for Loopback | Lists numeric Virtual Customer Domain (VCD) IDs which identify customers who can make localhost requests to hostnames on this property. If the list is empty, all localhost requests from other customer accounts to hostnames on this property are denied. When Deny Policy is selected, you can list specific VCDs of other accounts that you would like to allow localhost requests to your hostnames. This would ensure it is a deny-all policy but allows only specific VCDs. |
Updated about 2 hours ago