Hello all,
I have a problem that looks like https://www.googlecloudcommunity.com/gc/Apigee/Access-control-policy-not-working/m-p/530904
I have set up a minimal proxy with AccessControl as a first step like so.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControl continueOnError="false" enabled="true" name="AC-FilteringIP">
<DisplayName>AC-FilteringIP</DisplayName>
<IgnoreTrueClientIPHeader>false</IgnoreTrueClientIPHeader>
<IPRules noRuleMatchAction="DENY">
<MatchRule action="ALLOW">
<SourceAddress mask="24">194.5.53.0</SourceAddress>
</MatchRule>
</IPRules>
<ValidateBasedOn>X_FORWARDED_FOR_FIRST_IP</ValidateBasedOn>
</AccessControl>
I made a call from my phone, and it gets rejected with the following error:
{"fault":{"faultstring":"Access Denied for client ip : 10.90.132.89","detail":{"errorcode":"steps.accesscontrol.IPDeniedAccess"}}}
This is unsettling, because my phone’s IP address was 194.5.53.61.
First, the firewall set HTTP Header true-client-ip to 194.5.53.61. Since I used false in the policy, I expected the policy to check the IP Address set in the true-client-ip header, but it didn’t.
Second, I did hope that Apigee would validate the first IP Address of the x-forwarded-for HTTP header, as instructed by X_FORWARDED_FOR_FIRST_IP, but that didn’t work out either.
It there something obvious I missed? I’d like to avoid having to validate IP addresses in custom Javascript if at all possible.
