Layer7 API Management

Expand all | Collapse all

Access control based on X-Forwarded IP

Jump to Best Answer
  • 1.  Access control based on X-Forwarded IP

    Posted 02-01-2017 08:04 PM

    Hi, Apologies if this question is answered already,  appreciate if anyone can forward me right direction.

     

    We want to control access to a service based on user's IP. However our api gateway is behind lad balancer so Gateway always sees LB as the client not the actual client. Our LB is configured to pass x-forwarded-for header so backend applications can use that IP as needed. We have customized our apache web servers to capture this information. However, I am not able to find required configuration for API Gateway. Any pointers would be appreciated.

     

    I have confirmed that XFF (X-Forwarded-For) is carrying client IP using a r"Return Template esponse " assertion with the folowing  response body:

     

    ${request.http.allheadervalues}

    When this assertion is executed, user's browser renders all headers including XFF.

     

    I tried using 

    ${request.http.x-forwarded-for}

    but browser renders a blank page.

    Can anyone suggest a way to capture XFF in a context variable so I can use that in "Allow Access to IP Address Range"?



  • 2.  Re: Access control based on X-Forwarded IP

    Posted 02-01-2017 11:59 PM

    Hi SamWalker,

     

    There seems to be an error in your context variable declaration, could you try ${request.http.header.x-forwarded-for}. Also check the logs as it may show a warning entry for context variables that doesn't exist

     

    Regards,

    Shawn



  • 3.  Re: Access control based on X-Forwarded IP
    Best Answer

    Posted 02-02-2017 10:42 AM

    Hi SamWalker,

     

    I use by this way, for me It works. 

     

    Regards,

     

    Matheus Isquierdo



  • 4.  Re: Access control based on X-Forwarded IP

    Posted 02-02-2017 11:35 AM

    Thanks You both Shawn and Matheus. Appreciate your time ..

     

    request.http.header.x-forwarded-for as context variable worked.