Solved: Chained Proxy Allowlist local IP

maxraymond · 03-10-2021 12:28 AM

Hi everyone,

I currently have 2 chained Proxies like this:

Client --> Proxy 1 --> Proxy 2 --> Target

I need to establish a secure connection between Proxy 1 and Proxy 2, that Proxy 2 cannot be called from external Clients directly.

Only Proxy 1 can call Proxy 2 because Proxy 1 contains all security and traffic policys and Proxy 2 is generated automatically.

I cannot find any helpful description how to use the ACL policy not on client.ip but on virtualhost.ip. Many threads say "check if IP is local" and so does the Apigee documentation but there is absolutely no example. From my understanding I need to check if the IP is in the 127.0.0.* range, which would mean it's another Proxy.

I've tried to use the ACL policy like this:

<IPRules noRuleMatchAction="DENY">
        <MatchRule action="ALLOW">
            <SourceAddress mask="32" ref="virtualhost.ip">127.0.0.1</SourceAddress>
        </MatchRule>
</IPRules>

However it never uses the virutalhost.ip it always errors with:

"fault_name": "IPDeniedAccess",
        "error_message": "Access Denied for client ip : [2.204.xxx]"

which is my IP. So Apigee obvisouly doesn't care about my "ref="virtualhost.ip".

What is the correct way of doing this, if possible Code examples if someone has something.

Thanks in advance!

dknezic

A few things on this

1. Using ref will use the value found in the given variable if available instead of your given value of 127.0.0.1. I'm guessing your intention was to try and specify a value for your access control policy to check against?

2. Try removing ref from your source address and trying the request again. 127.0.0.1 is correct to me.

3. If the secondary proxy ("proxy 2") has policies for example that could be reused by other proxies such as proxy 1, consider using Shared Flows instead of proxy chaining instead.

https://docs.apigee.com/api-platform/fundamentals/shared-flows

View solution in original post

dknezic

A few things on this

1. Using ref will use the value found in the given variable if available instead of your given value of 127.0.0.1. I'm guessing your intention was to try and specify a value for your access control policy to check against?

2. Try removing ref from your source address and trying the request again. 127.0.0.1 is correct to me.

3. If the secondary proxy ("proxy 2") has policies for example that could be reused by other proxies such as proxy 1, consider using Shared Flows instead of proxy chaining instead.

https://docs.apigee.com/api-platform/fundamentals/shared-flows

maxraymond

Yes my intention is to specify "virutalhost.ip" to be the value which Apigee should use to check against the specified "127.0.0.1" Value.

Without the ref and with the ref it will always checks the "client.ip" as a default, which is my IP.

How can I specify to use the "virutalhost.ip" if "ref" is wrong?

I am using shared flows, still need to get this connection.

dknezic

What you're thinking of is the ValidateBasedOn attribute, however it won't let you change it to a non x forwarded for value.

https://docs.apigee.com/api-platform/reference/policies/access-control-policy#validatebasedon

With that said, I'm assuming you're using the original request payload of proxy 1, in which case some options:

1. within your service callout, use a brand new request object to prevent reusing the x-forwarded-for. ie specify a new variable as the request variable / create a new request object

2. or remove the x-forwarded-for header from the request using assignmessage

maxraymond

2. or remove the x-forwarded-for header from the request using assignmessage

This solves the Problem, thank you very much.

Report Inappropriate Content

We have implemented the same. For your second proxy which will be called through proxy chaining will be within the message processor. So, I would suggest to do the access control allow for all the message processor ips and refer this as client.ip and it will not allow any direct call from outside.