Application Gateway WAF not using X-Forwarded-For or X-Real-Ip headers

Martin Cronholm 1 Reputation point
2021-06-09T07:01:20.01+00:00

Hi

We are using a Proxy in front of Application gateway with WAF enabled. The logged Ip is always the proxy IP.

(Internet)-> (Proxy nginx) -> App GW -> (internal systems)

Does the APP GW + WAF use the X-Forwared-For or X-Real-IP headers when evaluating rules in WAF, or is there a setting / policy that we can enable to make it use those IPs instead of the proxy ip?

ps. reason for the proxy in front of appgw has to do with migration tasks of website from old to new so proxy is acting router in this setup. (will be removed once all old has been migrated)

/m

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,126 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rodrigo 5 Reputation points
    2023-02-03T07:12:17.82+00:00

    The link provided doesn't address how to allow the "X-Forwarded-For" header.

    1 person found this answer helpful.
    0 comments No comments

  2. SaiKishor-MSFT 17,326 Reputation points
    2021-06-20T16:15:49.487+00:00

    @Martin Cronholm Thank you for reaching out to Microsoft Q&a. We sincerely apologize for the delay in response.

    I understand that you want to know if Azure App GW WAF uses X-Forwarded-For or X-Real-IP headers when evalutating rules in WAF.

    You should be able to setup your WAF to do either of the options by selecting the match variable to be either RemoteAddr or SocketAddr. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.

    To setup WAF rules based on either RemoteAddr or SocketAddr, please use the steps in this link to configure the same.

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.