Not receiving X-Forwarded-For header in WAF

Question

One of our client is trying to reach our application but they are not able to reach with 403 error.
We have enabled WAF for this application with a custom rule looking for X-Forwarded-For header matching with an IP-set.However we notice that the X-Forwarded-For header is not present in the request from client.
Since client IP is dynamic and they appeared to be behind a proxy server we couldnt use their source IP to whitelist in WAF and no changes can be made on proxy server.
Any help on getting the X-Forwareded-For header in request or any other way to whitelist with any unique parameters.

Answer

If your application supports it, using API keys or tokens for authentication can bypass the need for IP whitelisting. This method can authenticate the request based on the provided token, regardless of the IP address.
Shift the focus from IP-based whitelisting to application-level authentication, such as OAuth tokens, JWT tokens, or other mechanisms that validate the user or the client application rather than the IP address.

Answer

Are you using CloudFront, or another CDN in front of WAF? If so, make sure that the CDN is not stripping the header. If you do have a CDN in front of WAF, try accessing the resource (ALB, EIP, etc) directly, and see if you are still not seeing the X-Forwarded-For header.

If you are using CloudFront, this can be fixed by enabling the All Viewer origin request policy, which will ensure that all request headers (and cookies, and query params) are forwarded to the app.

Not receiving X-Forwarded-For header in WAF

関連するコンテンツ