Layer7 API Management

Expand all | Collapse all

Source IP Check in APIGateway

Jump to Best Answer
  • 1.  Source IP Check in APIGateway

    Posted 12-26-2017 05:23 AM

    In API Gateway and Siteminder integration, what's a best way to validate source IP coming from the user with the details in the SMSESSION. Is the Check IP option a legit one for this ?



  • 2.  Re: Source IP Check in APIGateway
    Best Answer

    Posted 12-26-2017 07:56 PM

    Hello,

     

    I think the simplest way is to check the context variable ${<target>.tcp.remoteIP} in your policies ("<target>" is "request" here). It can be used without SiteMinder integration.
    https://docops.ca.com/ca-api-gateway/9-3/en/reference/context-variables/transport-layer-context-variables

     

    If you'd like to get the source IP from the SMSESSION, ${<prefix>.smcontext.sourceIpAddress} would be better for your purpose.
    https://docops.ca.com/ca-api-gateway/9-3/en/reference/context-variables/ca-single-sign-on-context-variables

     

    I believe Simpler is Better.

     

    Cheers.



  • 3.  Re: Source IP Check in APIGateway

    Posted 12-26-2017 11:08 PM

    Considering the different type of network configurations ( SNAT etc ), will ${.tcp.remoteIP} get the exact source IP for the validation. I am concerned about the internet facing application which also CDNs like Akamai in place.



  • 4.  Re: Source IP Check in APIGateway

    Posted 12-27-2017 08:17 PM

    Hello,

     

    Would you be able to give us any examples about your concerns?

    When we received an HTTP request through a network device such as SSL offloader, the original IP address is placed in the X-Forwarded-For header. You should refer to it instead of ${<target>.tcp.remoteIP}.
    CDNs like Akamai are the destinations of HTTP requests, aren't they? It's not clear for me how the source IP addresses from clients are used for.

     

    Cheers.