Layer 7 API Management

Expand all | Collapse all

Specific IP whitelist with XFF headers

Jump to Best Answer
  • 1.  Specific IP whitelist with XFF headers

    Posted 13 days ago

    Hi all 

    We are trying to restrict some of IP addresses with our API. However, each request should be passed through load balancer component before send it to Gateway. So, Gateway can see LB's IP as a client, not the actual requestor. 

    As the community's link below will show how to specify range of IP address assertion with XFF header.
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=778191

    In my case, if we want to implement 'Restrict Access to IP Lists' to control the exact IP address from XFF header, anyone can suggest how to accomplish this task?

    Sorry, if my language is unclear, you can ask further details for clarification : )

    Best Regards,

    Nick 



  • 2.  RE: Specific IP whitelist with XFF headers

    Posted 13 days ago
    Dear Nick,
    The IP range supports context variable,
    https://docops.ca.com/ca-api-gateway/9-4/en/policy-assertions/assertion-palette/service-availability-assertions/restrict-access-to-ip-address-range-assertion


    Regards,
    Mark


  • 3.  RE: Specific IP whitelist with XFF headers

    Posted 13 days ago

    Hi Mark 

    Can I specify client's IP address of XFF header(for instance, 10.0.0.5) instead of network range?. 

    Regards,
    Nick




  • 4.  RE: Specific IP whitelist with XFF headers
    Best Answer

    Posted 11 days ago
    Sorry Nick,
    In your case, we don't need IP range assertion. Just use compare assertion to validate XFF header.

    - At least folder
    - \_ compare XFF header equals 10.0.0.5
    - \_ All folder
    ---- \_ error handling or return template response 

    if it's IP range, you may use regex assertion instead of compare assertion.

    Regards,
    Mark


  • 5.  RE: Specific IP whitelist with XFF headers

    Posted yesterday
    Check requestor IP against list of whitelisted IPs/masks. Works if XFF (behind proxy/NLB) or direct.
    Input:
    - IP_list: can be a multiline CWP with optional comment lines prefixed by '#', or IP listy separated by comma.
    - IP_skip_fail: do not fail even if IP not whitelisted.

    example CWP:





    PSEC Fail with error message: our consolidated encap error handling. Works as OTK Fail with error message.