This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Access Control policy ignoring True-Client-IP

Posted on 02-15-2024 09:00 AM
gmornet
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello all,

I have a problem that looks like https://www.googlecloudcommunity.com/gc/Apigee/Access-control-policy-not-working/m-p/530904

I have set up a minimal proxy with AccessControl as a first step like so.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <AccessControl continueOnError="false" enabled="true" name="AC-FilteringIP">
  <DisplayName>AC-FilteringIP</DisplayName>
  <IgnoreTrueClientIPHeader>false</IgnoreTrueClientIPHeader>
  <IPRules noRuleMatchAction="DENY">
    <MatchRule action="ALLOW">
      <SourceAddress mask="24">194.5.53.0</SourceAddress>
    </MatchRule>
  </IPRules>
  <ValidateBasedOn>X_FORWARDED_FOR_FIRST_IP</ValidateBasedOn>
</AccessControl>

 I made a call from my phone, and it gets rejected with the following error:

{"fault":{"faultstring":"Access Denied for client ip : 10.90.132.89","detail":{"errorcode":"steps.accesscontrol.IPDeniedAccess"}}}

This is unsettling, because my phone's IP address was 194.5.53.61. 

First,  the firewall set HTTP Header true-client-ip to 194.5.53.61. Since I used <IgnoreTrueClientIPHeader>false</IgnoreTrueClientIPHeader> in the policy, I expected the policy to check the IP Address set in the true-client-ip header, but it didn't.

Second, I did hope that Apigee would validate the first IP Address of the x-forwarded-for HTTP header, as instructed by <ValidateBasedOn>X_FORWARDED_FOR_FIRST_IP</ValidateBasedOn>, but that didn't work out either.

It there something obvious I missed? I'd like to avoid having to validate IP addresses in custom Javascript if at all possible.

Access Control - http headers.PNG

5 0 272
Topic Labels
0 REPLIES 0
Top Solution Authors
View all