Access Control policy support on the X-Forwarded-For in the upcoming releases

Not applicable

Hi Team,

A customer is asking me about the release note of 15.09.30:
http://docs.apigee.com/release-notes/content/150930-apigee-edge-cloud-release-notes#newfeaturesanden...

which says;

X-Forwarded-For HTTP header Deprecation notice: For stronger security, Edge support for inbound X-Forwarded-For HTTP request headers is being deprecated and will be removed from a future release. This means the client IP address received by Edge will be the client's true IP address. This affects the Access Control policy, which can evaluate the X-Forwarded-For address in order to allow or deny API calls made by specific IPs.


Does this mean that the <IPRules> with X_FORWARDED_FOR_ALL_IP, etc. will be no more supported in the upcoming releases? I know that several customers currently use this feature and it will be a big problem if it’s gone. Or are there any alternative ways planned for this?

Thanks,
Toshi

Solved Solved
0 2 647
1 ACCEPTED SOLUTION

Hi @Toshihiro Shibamoto -

There's a way to turn the capability back on, but customers need to be really careful. The updated, more-secure default behavior is for Edge to ignore all but the last address in X-Forwarded-For header. This prevents spoofing by IPs that are (or should be) blacklisted who could pass in fake IPs.

Users can re-enable the prior behavior by setting the org-level property feature.enableMultipleXForwardCheckForACL to "true," described here. But you should only do that if you absolutely trust all IPs hitting your proxies.

Enabling that property will let you use the <ValidateBasedOn> element in the Access Control Policy to look at all IPs (default), the first IP, or the last IP.

View solution in original post

2 REPLIES 2

Hi @Toshihiro Shibamoto -

There's a way to turn the capability back on, but customers need to be really careful. The updated, more-secure default behavior is for Edge to ignore all but the last address in X-Forwarded-For header. This prevents spoofing by IPs that are (or should be) blacklisted who could pass in fake IPs.

Users can re-enable the prior behavior by setting the org-level property feature.enableMultipleXForwardCheckForACL to "true," described here. But you should only do that if you absolutely trust all IPs hitting your proxies.

Enabling that property will let you use the <ValidateBasedOn> element in the Access Control Policy to look at all IPs (default), the first IP, or the last IP.

Hi @Floyd Jones, Thank you so much for the answer. I'll share this with customers.