This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Armor: 'user_ip is currently not supported'

Posted Wednesday
curielrodrigo
New Member
Reply posted on --/--/---- --:-- AM

I'm using a Backend Security Policy attached to a Backend Service (External Application Load Balancer) to restrict access by IP.

Recently, I needed to use the IP address from the X-Forwarded-For header instead of the standard client IP, as requests may come from multiple devices behind the same proxy. To address this, I updated the policy’s User IP request headers configuration to include X-Forwarded-For.

However, when I try to add a rule in Advanced mode using the expression:

origin.user_ip == "some.ip"
I consistently receive the error:

1:1: user_ip is currently not supported.
Does anyone know why this might be happening? Is origin.user_ip not supported for backend service–level policies, even when the documentation indicates it should be when userIpRequestHeaders are configured?

Any insight or suggestions would be greatly appreciated!

0 1 45
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
reinc
Staff
Reply posted on --/--/---- --:-- AM

Hi @curielrodrigo

Welcome to Google Cloud Community! 

When adding a rule in Advanced mode for a Backend Security Policy, ensure you include an expression or subexpressions to evaluate incoming requests. Check the documentation when configuring security policies to apply to an existing global external Application Load Balancer or classic Application Load Balancer and backend service.

To change your origin.user_ip == "some.ip", you may try this rule expression for backend security policy:

request.headers['x-forwarded-for'].split(',')[0].trim() == "some.ip"

Explanation:
The X-Forwarded-For header can contain a comma-separated list of IP addresses (ex. client_ip, proxy1_ip, proxy2_ip) when multiple proxies are used. Using split(',')[0] pulls the first IP, which is usually the original client's IP. The .trim() removes any leading or trailing whitespace from the extracted IP and then compares the cleaned IP to "some.ip".

You can refer to the configuration documentation for details on the operations and attributes used in creating rule expressions.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all