Check requestor IP against list of whitelisted IPs/masks. Works if XFF (behind proxy/NLB) or direct.
Input:
- IP_list: can be a multiline CWP with optional comment lines prefixed by '#', or IP listy separated by comma.
- IP_skip_fail: do not fail even if IP not whitelisted.
example CWP:
PSEC Fail with error message: our consolidated encap error handling. Works as OTK Fail with error message.
Original Message:
Sent: 08-11-2019 08:21 PM
From: Zhijun He
Subject: Specific IP whitelist with XFF headers
Sorry Nick,
In your case, we don't need IP range assertion. Just use compare assertion to validate XFF header.
- At least folder
- \_ compare XFF header equals 10.0.0.5
- \_ All folder
---- \_ error handling or return template response
if it's IP range, you may use regex assertion instead of compare assertion.
Regards,
Mark
Original Message:
Sent: 08-09-2019 02:45 AM
From: Peerapong Ountrongchit
Subject: Specific IP whitelist with XFF headers
Hi Mark
Can I specify client's IP address of XFF header(for instance, 10.0.0.5) instead of network range?.
Regards,
Nick
Original Message:
Sent: 08-09-2019 01:39 AM
From: Zhijun He
Subject: Specific IP whitelist with XFF headers
Dear Nick,
The IP range supports context variable,
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/service-availability-assertions/restrict-access-to-ip-address-range-assertion
Regards,
Mark
Original Message:
Sent: 08-09-2019 01:00 AM
From: Peerapong Ountrongchit
Subject: Specific IP whitelist with XFF headers
Hi all
We are trying to restrict some of IP addresses with our API. However, each request should be passed through load balancer component before send it to Gateway. So, Gateway can see LB's IP as a client, not the actual requestor.
As the community's link below will show how to specify range of IP address assertion with XFF header.
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=778191
In my case, if we want to implement 'Restrict Access to IP Lists' to control the exact IP address from XFF header, anyone can suggest how to accomplish this task?
Sorry, if my language is unclear, you can ask further details for clarification : )
Best Regards,
Nick