Logging of X-Forwarded-For IP in smaccess.log for Policy Server
search cancel

Logging of X-Forwarded-For IP in smaccess.log for Policy Server


Article ID: 260860


Updated On:


SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)



Running Web Agent, when configuring ACO "CustomIPHeader" parameter with value "X-forwarded-for" (1), as the "X-forwarded-for" has IP multiple values, the last IP gets logged in the smaccess.log of the Policy Server.

Can SiteMinder select the value from the X-forwarded-for when there's a multi-value?




The Web Agent recognizes the client IP as per this configuration:

Proxy IP :

ACO configuration:


Running curl command to send a request to the Web Agent:

# curl -H "X-Forwarded-For:" -b "SMCHALLENGE=YES;" -c cookie-jar.txt -v -u jsmith:CAdemo123 http://sps.training.com/xforwardedfor/allheaders.php

The backend Web Agent Apache server receives the following headers:

+13735:63e26898:d|GET /xforwardedfor/allheaders.php X-Forwarded-For:,

and the Web Agent reports:

[02/07/2023][16:03:10][13629][293578496][CSmHttpPlugin.cpp:5975][CSmHttpPlugin::ResolveClientIp][][][][][][][][Resolved Client IP address '' from header 'X-Forwarded-For'.]

Note that Apache set the client IP at the second position. No Web Agent is running on the Proxy.

When setting 2 reverse proxies in front of the Web Agent, the X-Forwarded-For gets multiple values, the first one being always the IP of the browser as we've seen in the Mozilla documentation (2).

But as long as the Web Agent has RequireClientIP set to no, it will allow the request, and the Policy Server will set the IP to UNKNOWN.




As the CustomIPHeader does accept only 1 IP Address as per security concerns (1), configure the Reverse Proxy, or the services in front of the Web Agent to only pass 1 value and always the same one to the X-Forwarded-For header, so the Web Agent can accept it and pass it to the Policy Server.


Additional Information



    How to set the Client IP in smaccess logs of the Policy Server