This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee X client ip not corresponding to the client

Posted on 10-14-2022 11:55 AM
oscarAmarello
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have an apigee x deployment and i would like to know the caller IP address when apigee apis are being consumed via the internal apigee IP address (the apigee instance IP address).

If I make a request from a compute engine within the same VPC as apigee, the client.ip and proxy.client.ip flow variables are a IP address from the PSA segment, and not the IP Address from which the request was made.

GCE Subnet = 10.190.6.0/24

Apigee PSC Range = 10.191.0.0/16

apigee_apis.png

 

0 5 327
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

You can verify X-Forwarded-For or proxy.client.ip which should be appropriate real client ip. Not too close to your environment but you can cross verify.

May be go thru few references which may help understand.
https://cloud.google.com/apigee/docs/api-platform/reference/variables-reference
https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy#xforwarde...
https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/How-to-Find-the-True-Client-IP-in-Api...

Posted on --/--/---- --:-- AM
oscarAmarello
Bronze 1
Bronze 1
In response to API-Evangelist
Reply posted on --/--/---- --:-- AM

Hi,

I verified teh header you mentioned, amongst other headers and flow variables, and the IP address in the header is not the one from the client, but one from the apigee pod segment.

This is my js snippet for the logging:

var client_ip = context.getVariable("client.ip");
var proxy_client_ip = context.getVariable("proxy.client.ip");
var requestHeaders = context.getVariable("request.headers.names"),
result = {};
requestHeaders = requestHeaders + '';
requestHeaders = requestHeaders.slice(1, -1).split(', ');
requestHeaders.forEach(function(x){
var a = context.getVariable("request.header." + x );
result[x] = a;
});
// Print Headers
print(JSON.stringify(result, null, 2));
// Print Client IP
print("client_ip = " + client_ip)
// Print Proxy Client IP
print("proxy_client_ip = " + proxy_client_ip)

And this is the result in the console log:

apigee_variables.png

The logged IP is one from the pod segment, and not the client IP

0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
In response to oscarAmarello
Reply posted on --/--/---- --:-- AM

Will encourage you speak to a internal network engineer and who can help understand the topology & how X-Forwarded-For works & helps you trace e-e. (assuming you have better monitoring in place).

0 Likes

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

Hi Oscar!

Are you trying to do proxy chaining using the instance ingress ip? e.g. VM -> Apigee Ingress -> API Proxy -> Apigee Ingress -> API Proxy -> Backend

Are you generating a new request through a Service Callout in the first API Proxy leg?

 

0 Likes

Posted on --/--/---- --:-- AM
oscarAmarello
Bronze 1
Bronze 1
In response to gonzalezruben
Reply posted on --/--/---- --:-- AM

Hi Ruben!

No, it's a passtrough proxy
VM -> Apigee Ingress -> API Proxy -> Backend (mocktarget)

0 Likes
Top Solution Authors
View all