For added security, you can add the IP address of the reverse proxy as a condition to check before granting access. One way to implement this is to create a rule that requires the X-Forwarded-For IP address in the HTTP header to match the configured IP address of the reverse proxy that is using the policy. The X-Forwarded-For IP condition matches the first IP address in the X-Forwarded-For header with the IP address specified in the Value field.
To set up matching for this condition, specify the following details:
Comparison: Specify how the X-Forwarded-For IP address is compared to the data in the Value field. Select one of the following types:
Comparison: IP: Specifies that you want the values compared as IP addresses. Select one of the following:
Equals: Allows you to specify an IP address that the X-Forwarded-For IP address must match. You can specify more than one.
In Range: Allows you to specify a range of IP addresses that the X-Forwarded-For IP address must fall within. You can specify more than one range.
In Subnet: Allows you to specify the subnet that the X-Forwarded-For IP address must belong to. You can specify more than one subnet.
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions. If you select this option, you must also specify a Mode. Select one or more of the following:
For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.
Value: Specify the value type and value for the comparison. Select one of the following:
Client IP: If you want the first IP address in the X-Forwarded-For header compared to the IP address of the client making the request, select this option.
NOTE:Client IP will not support IPv6 addresses.
LDAP Attribute: If you have defined an LDAP attribute for an IP address, you can select this option, then select your attribute.
Liberty User Profile: If you have defined a Liberty User Profile attribute for an IP address, you can select this option, then select your attribute.
X-Forwarded-For-IP: Allows you to control access based on the value in the X-Forwarded-For IP header of the HTTP request. This supports IPv6 address when you use the X-Forwarded-For IP condition.
Data Entry Field: To specify a static value, select Data Entry Field and provide a value appropriate for your comparison type. For example:
Comparison Type |
IPv4 Value |
IPv6 Value |
---|---|---|
Equals |
10.10.10.10 10.10.10.11 |
2001:1000:1000:1000:1000:1000:1000:1a8a 2001::10a0 |
In Range |
10.10.10.10 - 10.10.10.100 10.10.20.10 - 10.10.20.100 |
2134::10 -2134::100 2134:1000:1000:1000:1000:1000:2000:1000 - 2134:1000:1000:1000:1000:1000:2000:4000 |
In Subnet |
10.10.10.12 / 22 10.10.20.30 / 22 |
2001:1000::0002:1000:1a8a/40 2001:1000:1000:2000:3000:4000:5000:1a8a/50 |
You can now enter an IPv6 IP address. If you enter a zone ID and scope ID in an IP address with % sign, you will get an error. For more information see Setting up L4 Switch for IPv6 Support.
If you selected IP for the comparison type, you can add multiple values:
Use the Edit button to access a text box where you can enter multiple values, each on a separate line.
Use the Add button to add values one at a time.
All listed values are compared to the IP address in the X-Forwarded-For IP header until a match is found or the list is exhausted.
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.