IP Whitelisting using X-Forwarded-For header - IP...

sujnana · 09-21-2020 09:58 AM

As per document X-Forwarded-For header approach the Access Control policy can validate based on all (X_FORWARDED_FOR_ALL_IP) or first (X_FORWARDED_FOR_FIRST_IPX_FORWARDED_FOR_LAST_IP). Is there a way to validate IPs based on any position?

For example if we whitelist IP 1.1.1.1 then we should allow traffic if X-Forwarded-For header value has this IP anywhere in the list. It should allow following combinations

1.1.1.1,2.2.2.2,3.3.3.3

2.2.2.2,1.1.1.1,3.3.3.3

3.3.3.3,2.2.2.2,1.1.1.1

10.8.1.20,3.3.3.3,1.1.1.1, 4.4.4.4 & so on...

But it should not allow traffic if 1.1.1.1 is not present in X-Forwarded-For header value.

Report Inappropriate Content

You can use javascript and verify the condition.

sujnana

JavaScript or Regex can be done only for couple of IPs. We have multiple CIDR blocks around 20 plus which is difficult in Javascript.

Report Inappropriate Content

You can use javascript for 20 also, you can use python as well that will make coding easy for you.

sujnana

It is not just 20 IPs. it is CIDR block for example 10.0.0.0/32, 10.2.0.0/32 etc. I know it is possible through coding but it is difficult & need to write many line of code with looping. And this should applied at global level all the proxies, I am checking if any better approach without much coding.

IP Whitelisting using X-Forwarded-For header - IP can be in any position