Message Image

Skip main navigation (Press Enter).

Layer7 API Management

View Only

Back to discussions

Expand all | Collapse all

Specific IP whitelist with XFF headers

Jump to Best Answer

Peerapong OuntrongchitAug 09, 2019 01:07 AM

Hi all We are trying to restrict some of IP addresses with our API. However, each request should be ...

Zhijun HeAug 09, 2019 01:39 AM

Dear Nick, The IP range supports context variable, https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/service-availability-assertions/restrict-access-to-ip-address-range-assertion ...

Peerapong OuntrongchitAug 09, 2019 02:46 AM

Hi Mark Can I specify client's IP address of XFF header(for instance, 10.0.0.5) instead of network ...

Zhijun HeAug 11, 2019 08:21 PMBest Answer

Sorry Nick, In your case, we don't need IP range assertion. Just use compare assertion to validate ...

Philippe BrandAug 21, 2019 06:17 AM

Check requestor IP against list of whitelisted IPs/masks. Works if XFF (behind proxy/NLB) or direct. ...

1. Specific IP whitelist with XFF headers

0 Recommend
Peerapong Ountrongchit
Posted Aug 09, 2019 01:07 AM

Reply Reply Privately
Hi all

We are trying to restrict some of IP addresses with our API. However, each request should be passed through load balancer component before send it to Gateway. So, Gateway can see LB's IP as a client, not the actual requestor.

As the community's link below will show how to specify range of IP address assertion with XFF header.
https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=778191

In my case, if we want to implement 'Restrict Access to IP Lists' to control the exact IP address from XFF header, anyone can suggest how to accomplish this task?

Sorry, if my language is unclear, you can ask further details for clarification : )

Best Regards,

Nick
2. RE: Specific IP whitelist with XFF headers

0 Recommend
Broadcom Employee

Zhijun He
Posted Aug 09, 2019 01:39 AM

Reply Reply Privately
Dear Nick,
The IP range supports context variable,
https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/service-availability-assertions/restrict-access-to-ip-address-range-assertion

Regards,
Mark

Original Message
3. RE: Specific IP whitelist with XFF headers

0 Recommend
Peerapong Ountrongchit
Posted Aug 09, 2019 02:46 AM

Reply Reply Privately
Hi Mark

Can I specify client's IP address of XFF header(for instance, 10.0.0.5) instead of network range?.

Regards,
Nick

Original Message
4. RE: Specific IP whitelist with XFF headers
Best Answer

0 Recommend
Broadcom Employee

Zhijun He
Posted Aug 11, 2019 08:21 PM

Reply Reply Privately
Sorry Nick,
In your case, we don't need IP range assertion. Just use compare assertion to validate XFF header.

- At least folder
- \_ compare XFF header equals 10.0.0.5
- \_ All folder
---- \_ error handling or return template response

if it's IP range, you may use regex assertion instead of compare assertion.

Regards,
Mark

Original Message
5. RE: Specific IP whitelist with XFF headers

1 Recommend
Philippe Brand
Posted Aug 21, 2019 06:17 AM

Reply Reply Privately
Check requestor IP against list of whitelisted IPs/masks. Works if XFF (behind proxy/NLB) or direct.
Input:
- IP_list: can be a multiline CWP with optional comment lines prefixed by '#', or IP listy separated by comma.
- IP_skip_fail: do not fail even if IP not whitelisted.

example CWP:

PSEC Fail with error message: our consolidated encap error handling. Works as OTK Fail with error message.

Original Message

Copyright 2019. All rights reserved.

Powered by Higher Logic