I have been able to confirm that the Siteminder web agent module for Apache 2.4 is incorrectly using the connection record's client_ip variable instead of the request record's useragent_ip. This change was documented by Apache
here. This is a bug and should be fixed in the web agent code. Per Apache's docs:
When you require the IP address of the user agent, which might be connected directly to the server, or might optionally be separated from the server by a transparent load balancer or proxy, use request_rec->useragent_ip
and request_rec->useragent_addr
.
Original Message:
Sent: 09-12-2019 10:57 AM
From: Jose Garboza
Subject: Web Agent client IP resolution
Pete, thank for the response. According to that document REMOTE_ADDR is a "web server variable representing the IP address of the HTTP client", not a HTTP header. Could you please confirm REMOTE_ADDR is indeed a web server variable such as Apache's conn_rec->remote_addr variable and not a header per se?
PS. I have tried CustomIpHeader setting but it had un-intended negative consequences (IP validation was turned on)
Original Message:
Sent: 09-11-2019 04:59 PM
From: Peter Burant
Subject: Web Agent client IP resolution
Hi Jose,
By default, the Web Agent will use the REMOTE_ADDR header value to determine the client ip address. If this header does not contain the correct value, you can use the CustomIpHeader ACO parameter to instruct the agent to use a different header. It is very common to set this parameter value to 'X-forwarded-for' as that header will typically contain the true client ip when a proxy is in the path.
More information about this is here:
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product#DefaultHTTPHeadersUsedbytheProduct-ConfigureIPAddressValidation
Regards,
Pete
Broadcom Layer 7 Siteminder Support
Original Message:
Sent: 09-11-2019 04:07 PM
From: Jose Garboza
Subject: Web Agent client IP resolution
I am having an issue after upgrade from Apache 2.2 to 2.4 where SiteMinder web agent module no longer picks up the remote client IP address but instead uses the load balancer's IP address. Apparently Apache 2.4 has a different connection record structure (documented here). My question was regarding the SiteMinder web agent's source of remote IP address. Does it use the connection record's client_ip or the request record's useragent_ip, or neither?