Reset Search
 

 

Article

KB44768 - How to configure vWAF to determine IP address from a custom HTTP header

« Go Back

Information

 
Last Modified Date3/31/2021 8:46 PM
Synopsis
This article talks about the configuration needed on Virtual Web Application Firewall (vWAF) to determine a client IP address present in a custom HTTP header.
Problem or Goal
Certain reverse proxy solutions like Microsoft Frontdoors or Load Balancers in front of vWAF can proxy actual client IP address and instead add an extra HTTP header containing the actual client IP address. If there is an IP based configuration on vWAF for actions like blacklist or whitelist or limiting based on IP, this will not work correctly as vWAF will only see the proxy IP address instead of actual client IP. 
Cause
vWAF detects client IP address from source IP information contained in the IP header.
Solution
vWAF can be configured to get client IP address from custom HTTP header.

Lets consider that the proxy solution adds a custom HTTP Header called "Client-IP" with actual client IP address as seen below in HTTP Request from user:

 
 GET / HTTP/1.1
 Host: example.com
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
 Accept: text/html,application/xhtml+xml,application/xml;
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Client-IP: 10.209.70.9
 Connection: close


For vWAF to detect the same, once logged into the vWAF GUI, click on Administration > Global Configuration:

Global Configuration

Add the custom HTTP header in "CLIENT IP HEADER" > "custom client ip header" section as shown below and save the changes:

Custom header

If the proxy solution sets an X-Forwarded-For header, select the checkbox for option "use X-Forwarded-For header" in same page for vWAF to consider same. We can now configure a Handler template in vWAF application to restrict based on IP address and send a HTTP forbidden error to client as seen below: 
       
 HTTP/1.1 403 Forbidden
 Cache-Control: no-cache
 Content-Type: text/plain
 Date: xxxx
 Pragma: no-cache
 Connection: close
 Content-Length: 18
Related Links
Attachment 1 
Created ByRohit Shetty

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255