This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Allowlist for IP address

Posted on 10-01-2018 02:20 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello Team,

I have a proxy which used by multiple partners and now have to allow only those network range IP(partner specific)...

I am using access control policy to allow-list the specific IP address to access my proxy. But it is still allowing us to access the proxy. if I check my ip address by ipconfig and add same in access control policy, still it is allows us to access the proxy. Next thing is if i check my ip address in trace it shows different ip address(proxy.client.ip) and I have a proxy which used by multiple partners and now have to allow only those network range IP(partner specific)...Need help....

0 5 757
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

ok, thanks for the description. You're using an AccessControl policy. It sure looks like the policy is not doing what you expect it to do: restrict calls to those that arrive from a specific set of IP addresses.

But we can't answer without additional information .

Can you SHOW or DESCRIBE

  • the specific configuration of the policy
  • how you've attached that policy.

With Apigee Edge, there is the possibility to

  • select one or more policies (like AccessControl, AssignMessage, VerifyApiKey, and so on)
  • attach those policies to a specific attachment point

That's how it works.

It is possible to have an AccessControl policy (or any policy), included in your API Proxy, that is unattached. It may be unfortunate that this is possible, but it is possible. If you have a configuration like this, then the policy in question will never execute.

So we need that additional information in order to be able to diagnose.

Posted on --/--/---- --:-- AM
shawkyfoda
Silver 1
Silver 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

How We Could Really Protect Service With IP Allow-listing, while attacker can deceive the policy by using the "X-Forward-For" Header populated with a valid IP ?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to shawkyfoda
Reply posted on --/--/---- --:-- AM

Good question Shawky. A better way to go is to enter Apigee through a WAF, in which case you can have greater assurance about the asserted IP address in XFF. For example, use Apigee X with Google Cloud Armor.

0 Likes

Posted on --/--/---- --:-- AM
shawkyfoda
Silver 1
Silver 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank You Mr. Dino,

This means we could not rely on apigee controlAccess policy?

Actually I have advised to replace the WAF whitelisting protection with Apigee. So you do not advise so?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

In that case you can use mutual TLS, that will be the best security to authenticate your user.