This article applies to:
- WebMarshal 7.5.0 and above
Question:
- How do I apply IP authentication based on the X-Forwarded-For header of a request?
Procedure:
WebMarshal IP Authentication normally evaluates the connecting IP address.
You can configure WebMarshal to authenticate based on the X-Forwarded-For header included in the request.
This option allows you to authenticate and apply policy based on the client IP address where the requests pass through a load balancer or other device before reaching WebMarshal.
WebMarshal considers only the first IP address in the first valid X-Forwarded-For header.
To configure X-Forwarded-For evaluation:
- Create one or more WebMarshal IP Groups that include the IP addresses of the original clients.
- To configure the trusted sources of forwarded requests (such as load balancers), add entries to the WebMarshal Proxy Configuration file (WMProxy.config.xml) on each processing server
- The XFFEntry range should only include the load balancer IP addresses, not the client IP addresses
- Most installations will have only one XFFEntry element, but you can include more than one XFFEntry element if necessary
- Include quote marks but not braces
<WebMarshal>
<Proxy>
<Config>
<XFF enabled="true" >
<XFFEntry from="{IPaddressStart}" to="{IPaddressEnd}" />
</XFF>
</Config>
</Proxy>
</WebMarshal>
- Restart the WebMarshal Proxy service.
Note
- WMProxy.config.xml will include other entries. Do not change the other entries.
- XML files are case sensitive.
- For general information about editing XML settings files, see article Q12705.