This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Access Control using X-Forwarded-For Header

on ‎03-14-2015 11:01 PM

Not applicable
2 6 2,065

To allow or deny traffic based on IPs you can use the Access Control Policy. Detailed info on Access Control Policy is available at http://apigee.com/docs/api-services/reference/access-control-policy.

There are a few aspects that you should be aware of when working with this policy and X-Forwarded-For header- property feature.enableMultipleXForwardCheckForACL needs to be enabled at organization level to fetch multiple IPs from the header. This can currently be done only by the sysadmin so you would need to log a support request to have this setup.

Once the property is enabled all IPs , source:IP1, IP2,IP3 are available to the Access Control Policy. Based on the rules that is setup the policy can deny or allow access. Not all combinations of Allow and Deny are supported, so please recheck if the Access control is suitable for your requirement. In some cases you might need to add custom logic for your specific usecases.

If you need more information on the Access Control policy and its supported use-cases, you can reach out to Apigee support or ask a question on the community site here.

Topic Labels
Comments
Not applicable
‎03-08-2016 03:38 AM

Access Control Policy doc has moved, new location: http://docs.apigee.com/api-services/reference/access-control-policy

DChiesa
Staff
‎03-10-2016 05:02 PM

I've got a question - why wouldn't this be the default behavior?

adas
New Member
‎03-10-2016 06:20 PM

@Dino We thought about it but there were customers who had some hardcoded logic of picking the last IP from the list or the first IP from the list and so on. With those concerns in mind, we kept the current behaviour as default whereas the new behaviour is property driven.

DChiesa
Staff
‎03-11-2016 09:17 AM

ok, that makes sense. Thanks, Arghya. And the use-this-property to turn on the new behavior - is this documented?

jonesfloyd
Staff
‎03-11-2016 12:15 PM

Yessir: http://docs.apigee.com/api-services/reference/access-control-policy#validatebasedon

And it's actually setting the property to turn on the previous behavior. So now, by default, X-Forwarded-For headers are stripped before hitting the proxy. With this new default behavior, if my IP is blacklisted, I can no longer get past the Access Control policy by sending a fake, whitelisted IP in X-Forwarded-For.

jonesfloyd
Staff
‎05-26-2016 09:15 AM

In subsequent testing in my free org, I've discovered that multiple IPs are still being let through to my proxy even though I don't have the feature.enableMultipleXForwardCheckForACL=true property set on my org. I'm expecting to only have one IP in my X-Forwarded-For header, the one that's auto-populated by Edge. I've filed MGMT-3347 for this.

Version history
Last update:
‎03-14-2015 11:01 PM
Updated by: