Hi Team,
A customer is asking me about the release note of 15.09.30:
http://docs.apigee.com/release-notes/content/150930-apigee-edge-cloud-release-notes#newfeaturesanden...
which says;
X-Forwarded-For HTTP header
Deprecation notice: For stronger security, Edge support for inbound X-Forwarded-For HTTP request headers is being deprecated and will be removed from a future release. This means the client IP address received by Edge will be the client's true IP address. This affects the Access Control policy, which can evaluate the X-Forwarded-For address in order to allow or deny API calls made by specific IPs.
Does this mean that the <IPRules> with X_FORWARDED_FOR_ALL_IP, etc. will be no more supported in the upcoming releases? I know that several customers currently use this feature and it will be a big problem if it’s gone. Or are there any alternative ways planned for this?
Thanks,
Toshi
Solved! Go to Solution.
Hi @Toshihiro Shibamoto -
There's a way to turn the capability back on, but customers need to be really careful. The updated, more-secure default behavior is for Edge to ignore all but the last address in X-Forwarded-For header. This prevents spoofing by IPs that are (or should be) blacklisted who could pass in fake IPs.
Users can re-enable the prior behavior by setting the org-level property feature.enableMultipleXForwardCheckForACL
to "true," described here. But you should only do that if you absolutely trust all IPs hitting your proxies.
Enabling that property will let you use the <ValidateBasedOn> element in the Access Control Policy to look at all IPs (default), the first IP, or the last IP.
Hi @Toshihiro Shibamoto -
There's a way to turn the capability back on, but customers need to be really careful. The updated, more-secure default behavior is for Edge to ignore all but the last address in X-Forwarded-For header. This prevents spoofing by IPs that are (or should be) blacklisted who could pass in fake IPs.
Users can re-enable the prior behavior by setting the org-level property feature.enableMultipleXForwardCheckForACL
to "true," described here. But you should only do that if you absolutely trust all IPs hitting your proxies.
Enabling that property will let you use the <ValidateBasedOn> element in the Access Control Policy to look at all IPs (default), the first IP, or the last IP.
Hi @Floyd Jones, Thank you so much for the answer. I'll share this with customers.