Usage
The connector performs IP allowlisting as follows:
-
Allowlisting by IP range - 123.45.67.0-123.45.67.128
-
Allowlisting by IP list - 123.45.67.0,123.45.67.128
-
Allowlisting by Subnet - 123.45.0.0/16
-
whitelisted_ip_rangeandwhitelisted_ip_listare optional and don't need to be configured together. -
When only
whitelisted_ip_rangeis configured, then incoming user client IP address must be present in the range specified. -
When only
whitelisted_ip_listis configured, then incoming user client IP address must be present in the IP list specified. -
When both
whitelisted_ip_rangeandwhitelisted_ip_listare configured, then client IP address must be present in eitherwhitelisted_ip_listandwhitelisted_ip_list. -
Introduced new Pre-input configuration
keep_client_ip_as_source, which is a boolean flag that is optional. -
When
keep_client_ip_as_sourceis true, then it returns the IP Address of originating client; and if it is false, then it returns the IP address of nearest proxy to API Management. Whatever IP address it returns depends on this flag; this IP address must be present either inwhitelisted_ip_rangeor inwhitelisted_ip_list.The current sequence of identifying client IP address is applicable if
keep_client_ip_as_sourceis set as true. -
IP address configured must be a publicly-recognized IP address (for example:
<https://whatismyipaddress.com/>) that is recognized by API Management proxy. -
Best practice for IP allowlisting (when third-party proxy server is in front of API Management in the API call flow) is to configure the IP address of proxy (for example, Intermediate Node 2) that is closest to API Management stack.
For example: client/WWW --> Intermediate Node 1 --> Intermediate Node 2 --> Cloud API Management --> Resource API
For more details on how
X-Forwarded-Fordirective compiles client IP address while traversing through various load balancer and or proxy server, refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For.
Current Sequence of Identifying Client IP Address
The priority sequence logic (shown below) currently supported in this Connector achieves the following:
-
Accurately identifies client IP address in data flow across various systems before it reaches to API Management stack.
-
Designed to identify various factors that might get involved in storing client IP address which may involve chaining.
| Priority Sequence | HTTP Header Name | Sequence Flow | Notes |
|---|---|---|---|
| 1 | X-Forwarded-For | ↓ | Move to next only if client IP is not found in the given header |
| 2 | Proxy-Client-IP | ↓ | Move to next only if client IP is not found in the given header |
| 3 | WL-Proxy-Client-IP | ↓ | Move to next only if client IP is not found in the given header |
| 4 | HTTP_X_FORWARDED_FOR | ↓ | Move to next only if client IP is not found in the given header |
| 5 | HTTP_X_FORWARDED | ↓ | Move to next only if client IP is not found in the given header |
| 6 | HTTP_X_CLUSTER_CLIENT_IP | ↓ | Move to next only if client IP is not found in the given header |
| 7 | HTTP_CLIENT_IP | ↓ | Move to next only if client IP is not found in the given header |
| 8 | HTTP_FORWARDED_FOR | ↓ | Move to next only if client IP is not found in the given header |
| 9 | HTTP_FORWARDED | ↓ | Move to next only if client IP is not found in the given header |
| 10 | HTTP_VIA | ↓ | Move to next only if client IP is not found in the given header |
| 11 | REMOTE_ADDR | ↓ | Move to next only if client IP is not found in the given header |
| 12 | request.getRemoteAddr() | Default. If client IP was not found in any of the HTTP headers above. |
The current sequence of identifying client IP address is applicable if keep_client_ip_as_source is set as true.
