X-Forwarded-For header not having client IP.

Not applicable

@Ozan Seymen @arghya das @Srividya Annapragada @Dino @santosh_ghalsasi

I need to whitelist the IP of my consuming application.

I'm not able to see my client IP in the incoming X-Forwarded-For request header. The only IP's I see are my Apigee architecture component IP's.

As per Apigee docs:-

The Access Control policy evaulates the IP addresses in the X-Forwarded-For HTTP header. Edge automatically populates that header with the IP address it received from the last external TCP handshake (such as the client IP or router). If there are multiple IP addresses in the header, the trusted, auto-populated IP is the last one listed.

This is clearly not happening. I have enabled property feature.enableMultipleXForwardCheckForACL as well. This setting also didn't work.

Is there any other way to do apart from relying on this header alone as my consumer cannot implement MASSL?

0 5 2,462
5 REPLIES 5

Hi @Arunava Paul,

Could you provide a sample VirtualHost alias where you are seeing this issue?

If you'd prefer not to share this publicly, you could relay this via an Apigee Support ticket here: https://apigee.com/about/support/portal .

Thanks!

adas
Participant V

@Arunava Paul I am guessing this is on-premises. If you have a load balancer sitting in front of the routers, please check if your load balancer is configured with http or tcp passthrough mode. If you are having a load balancer with tcp passthrough mode, you would not see the client ip, instead you would see the internal ip of your load balancer. Is that how your setup is configured ?

Thanks @arghya das

I checked with my server team. They confirmed load balancer is in ssl offload mode and it can't be changed as of now. Any alternatives to see the client IP in Apigee environment?

@Arunava Paul

If you are using Load Balancer(F5), then you need to enable some settings at F5 so the client IP is forwarded to Router.

For 2way TLS, the handshake normally happens at Router and hence the client IP will be forwarded.

Thanks @gbhandari

Server team confirmed load balancer settings cannot be changed. Any alternatives to see client IP in Apigee environment?