Access Control policy support on the X-Forwarded-For in the upcoming releases

Hi Team,

A customer is asking me about the release note of 15.09.30:
http://docs.apigee.com/release-notes/content/150930-apigee-edge-cloud-release-notes#newfeaturesandenhancements-xforwardedforhttpheader

which says;

X-Forwarded-For HTTP header Deprecation notice: For stronger security, Edge support for inbound X-Forwarded-For HTTP request headers is being deprecated and will be removed from a future release. This means the client IP address received by Edge will be the client’s true IP address. This affects the Access Control policy, which can evaluate the X-Forwarded-For address in order to allow or deny API calls made by specific IPs.

Does this mean that the with X_FORWARDED_FOR_ALL_IP, etc. will be no more supported in the upcoming releases? I know that several customers currently use this feature and it will be a big problem if it’s gone. Or are there any alternative ways planned for this?

Thanks,
Toshi

Hi @Toshihiro Shibamoto -

There’s a way to turn the capability back on, but customers need to be really careful. The updated, more-secure default behavior is for Edge to ignore all but the last address in X-Forwarded-For header. This prevents spoofing by IPs that are (or should be) blacklisted who could pass in fake IPs.

Users can re-enable the prior behavior by setting the org-level property feature.enableMultipleXForwardCheckForACL to “true,” described here. But you should only do that if you absolutely trust all IPs hitting your proxies.

Enabling that property will let you use the element in the Access Control Policy to look at all IPs (default), the first IP, or the last IP.

Hi @Floyd Jones, Thank you so much for the answer. I’ll share this with customers.