WAF + Application Gateway - IP Match custom rules not working when using proxy (even when x-forwarded-for and x-real-ip headers present)

Andy Charalambous 1 Reputation point
2022-09-28T00:55:08.077+00:00

Hi,

I'm using CloudFlare as a proxy, and although both x-forwarded-for and x-real-ip headers are present in all requests originating from CF, my custom IP address rules in WAF policy linked to an application gateway are not working. If I replace with custom string request header match rule I can get it to work, but the issue is that I have to whitelist a hundred IPs and also some very large CIDR network ip ranges, so creating rules with each IP address explicitly present as a match value is impractical. Why is it not working? All the documentation indicates that ip address matching rules work by looking at the x-forwarded-for header (for RequestAddr).

Thanks
Andy

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
961 questions
Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,336 Reputation points Microsoft Employee
    2022-09-28T08:52:47.86+00:00

    Hi @Andy Charalambous ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to use Proxy + WAF and restrict access only to certain IP addresses using custom Rules.

    I believe this feature is supported with Azure Front Door WAF and not with App gateway WAF.

    With App gateway Custom Rules,

    • I see only RemoteAddr match variable is available
    • Here, RemoteAddr refers to the IP from which the WAF sees requests
    • In your case, this must be Proxy server's IP
    • 245365-image.png
    • Refer : App gateway custom Rules

    However, with AFD Custom Rules,

    • I can see two match variables, RemoteAddr and SocketAddr
    • Here, RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header.
    • SocketAddr is the source IP address WAF sees
    • Refer: Web Application Firewall for Azure Front Door

    You can try going with AFD if you would like to use the WAF to filter using X-Forwarded-For client IPs.

    I understand that the naming convention is different with AppGW and AFD.
    I shall work internally with our product team and see if we can update the documents to explicitly mention this to avoid any confusion.

    Please let me know if you have any queries on this, I shall be glad to address them.

    Thanks,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments