This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

The AccessControl policy is not working.

Posted on 08-27-2015 02:41 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have created a proxy called access-control-test which contains an AccessControl policy allowing only my public IP (122.56.41.158). If I make a request from the above IP address, I get a 403 with faultString "Access Denied for client ip : 10.10.20.157" Worse, if I set the X-Forwarded-For header in my client to the IP address that is allowed, I can get a 200 making the request from from any public IP address.

Whats steps needed to solve this?

0 6 614
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @Madhumita Kumari,

If X-FORWARDED-FOR header is present then the header value is considered as the source address so this is the expected behaviour.

IP address as obtained at the request (10.10.20.157) seem to be different based on the error message. Also, Could you copy the Access Control policy here.

Cheers, Rajesh

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @Madhumita Kumari,

It seems a custom rule needs to be set up on ELB for this. ELB needs to drop the X-forwarded-For header which comes in incoming request and then pick the public/private IP of the client which is sending the request ( based on the use case) and set that in X-Forwarded-For header .

For cloud accounts this can be done by Apigee ops team and for on premise this needs to be setup by their infra team .

Hope this helps .

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Madhumita Kumari,

see if this helps you : https://community.apigee.com/articles/1924/access-control-using-x-forwarded-for-header.html

0 Likes

Posted on --/--/---- --:-- AM
gnanasekaran
Staff
Reply posted on --/--/---- --:-- AM

is this IP (10.10.20.157) familiar to you - maybe internal IP? ,

is this cloud or on-prem?

if on-prem, are you on the same network as the Edge?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to gnanasekaran
Reply posted on --/--/---- --:-- AM
@Mukundha Madhavan

After enableMultipleXForwardCheckForACL at org level we can't spoof http request, but can still spoof https. Here are the things which are happening when.

==>Attempt to access secure from an unauthorised client IP. (issue - fault string has a 10.* IP).

{{"faultstring":"Access Denied for client ip : [10.10.21.96]","detail":{"errorcode":"accesscontrol.IPDeniedAccess"}}} * Connection #0 to host paymark-dev.apigee.net left intact

}

==>Attempt to access default from an unauthorised client IP. (works as expected)

==>Attempt to access default from an unauthorised client IP with an X-Forwarded-For header added (works as expected)

==>- Attempt to access secure from an unauthorised client IP with an X-Forwarded-For header added (issue - unauthorised client is allowed).

==>Attempt to access secure from an authorised client IP (issue - access denied and fault string has a 10.* IP)

==>Attempt to access default from an authorised client IP (works as expected)

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

So we ran into this problem in an environment with a poorly configured x-forward-for rule on the enterprise load balancer.

0 Likes