Running Web Agent, when configuring ACO "CustomIPHeader" parameter with value "X-forwarded-for" (1), as the "X-forwarded-for" has IP multiple values, the last IP gets logged in the smaccess.log of the Policy Server.

Can SiteMinder select the value from the X-forwarded-for when there's a multi-value?

The Web Agent recognizes the client IP as per this configuration:

Proxy IP : xxx.xxx.x.108
PC IP:     xxx.xxx.x.111

ACO configuration:

customipheader='X-Forwarded-For'.
proxydefinition='xxx.xxx.x.108'.

Running curl command to send a request to the Web Agent:

# curl -H "X-Forwarded-For: xxx.xxx.x.108" -b "SMCHALLENGE=YES;" -c cookie-jar.txt -v -u <User>:<Password> http://<Host_FQDN>/xforwardedfor/allheaders.php

The backend Web Agent Apache server receives the following headers:

+13735:63e26898:d|GET /xforwardedfor/allheaders.php X-Forwarded-For:xxx.xxx.x.108, xxx.xxx.x.111

and the Web Agent reports:

[02/07/2023][16:03:10][13629][293578496][CSmHttpPlugin.cpp:5975][CSmHttpPlugin::ResolveClientIp][][][][][][][][Resolved Client IP address 'xxx.xxx.x.111' from header 'X-Forwarded-For'.]

Note that Apache set the client IP at the second position. No Web Agent is running on the Proxy.

When setting 2 reverse proxies in front of the Web Agent, the X-Forwarded-For gets multiple values, the first one being always the IP of the browser as we've seen in the Mozilla documentation (2).

But as long as the Web Agent has RequireClientIP set to no, it will allow the request, and the Policy Server will set the IP to UNKNOWN.

As the CustomIPHeader does accept only 1 IP Address as per security concerns (1), configure the Reverse Proxy, or the services in front of the Web Agent to only pass 1 value and always the same one to the X-Forwarded-For header, so the Web Agent can accept it and pass it to the Policy Server.

(1)

    How to set the Client IP in smaccess logs of the Policy Server
    

(2)

    X-Forwarded-For