The link provided doesn't address how to allow the "X-Forwarded-For" header.
Application Gateway WAF not using X-Forwarded-For or X-Real-Ip headers
Hi
We are using a Proxy in front of Application gateway with WAF enabled. The logged Ip is always the proxy IP.
(Internet)-> (Proxy nginx) -> App GW -> (internal systems)
Does the APP GW + WAF use the X-Forwared-For or X-Real-IP headers when evaluating rules in WAF, or is there a setting / policy that we can enable to make it use those IPs instead of the proxy ip?
ps. reason for the proxy in front of appgw has to do with migration tasks of website from old to new so proxy is acting router in this setup. (will be removed once all old has been migrated)
/m
2 answers
Sort by: Most helpful
-
-
SaiKishor-MSFT 17,326 Reputation points
2021-06-20T16:15:49.487+00:00 @Martin Cronholm Thank you for reaching out to Microsoft Q&a. We sincerely apologize for the delay in response.
I understand that you want to know if Azure App GW WAF uses X-Forwarded-For or X-Real-IP headers when evalutating rules in WAF.
You should be able to setup your WAF to do either of the options by selecting the match variable to be either RemoteAddr or SocketAddr. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.
To setup WAF rules based on either RemoteAddr or SocketAddr, please use the steps in this link to configure the same.
Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.