This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Can True-Client-IP header evaluation in AccessControl policy be disabled?

Posted on 05-21-2019 05:20 AM
dusan
New Member
Reply posted on --/--/---- --:-- AM

According to https://docs.apigee.com/api-platform/reference/policies/access-control-policy, if the API request contains the True-Client-IP header, then the Access Control policy ignores the X-Forwarded-For header completely and evaluates only the IP address in the True-Client-IP header.

This enables clients to easily spoof source IP address just by adding this request header. Is it possible to ignore True-Client-IP header in Access Control policy?

Solved Solved
0 2 1,087
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
davidebozza
New Member
Reply posted on --/--/---- --:-- AM

Hello Dusan,

I've been in touch with the Apigee support on the usage of True-Client-IP since several weeks now, and apparently it seems it can be ignored simply enabling the feature.enableMultipleXForwardCheckForACL at organization level.

With this feature enabled Edge seems to ignore the True-Client-IP Header and starts evaluating all the IP's in XFF Header by default.

It is then possible to control the behavior of the Access Control policy using the ValidateBasedOn Element as stated here:
https://docs.apigee.com/api-platform/reference/policies/access-control-policy#validatebasedon

I haven't tested this feature yet, so I can't guarantee it works exactly as stated, but I count to do it ASAP.

During the discussion, and before they provided me the solution of the feature.enableMultipleXForwardCheckForACL, I also proposed Apigee to add a flag in the Acces Control policy, like <EnableTrueClientIpCheck>, by default set to True so to remain backward compatible, which, if set to False, allows the policy to continue using the IP address from the X-Forwarded-For instead of evaluating the True-Client-IP header.

We'll see if this feature request will be accepted.

Hope this helps,

Davide

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
davidebozza
New Member
Reply posted on --/--/---- --:-- AM

Hello Dusan,

I've been in touch with the Apigee support on the usage of True-Client-IP since several weeks now, and apparently it seems it can be ignored simply enabling the feature.enableMultipleXForwardCheckForACL at organization level.

With this feature enabled Edge seems to ignore the True-Client-IP Header and starts evaluating all the IP's in XFF Header by default.

It is then possible to control the behavior of the Access Control policy using the ValidateBasedOn Element as stated here:
https://docs.apigee.com/api-platform/reference/policies/access-control-policy#validatebasedon

I haven't tested this feature yet, so I can't guarantee it works exactly as stated, but I count to do it ASAP.

During the discussion, and before they provided me the solution of the feature.enableMultipleXForwardCheckForACL, I also proposed Apigee to add a flag in the Acces Control policy, like <EnableTrueClientIpCheck>, by default set to True so to remain backward compatible, which, if set to False, allows the policy to continue using the IP address from the X-Forwarded-For instead of evaluating the True-Client-IP header.

We'll see if this feature request will be accepted.

Hope this helps,

Davide

Jump to Solution

Posted on --/--/---- --:-- AM
dusan
New Member
Reply posted on --/--/---- --:-- AM

Thank you for sharing this info David, I will also test this.

Jump to Solution
0 Likes