Logging of X-Forwarded-For IP in smaccess.log for Policy Server
search cancel

Logging of X-Forwarded-For IP in smaccess.log for Policy Server

book

Article ID: 260860

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

Running Web Agent, when configuring ACO "CustomIPHeader" parameter with value "X-forwarded-for" (1), as the "X-forwarded-for" has IP multiple values, the last IP gets logged in the smaccess.log of the Policy Server.

Can SiteMinder select the value from the X-forwarded-for when there's a multi-value?

 

Cause

 

The Web Agent recognizes the client IP as per this configuration:

Proxy IP : 192.168.1.108
PC IP:     192.168.1.111

ACO configuration:

customipheader='X-Forwarded-For'.
proxydefinition='192.168.1.108'.

Running curl command to send a request to the Web Agent:

# curl -H "X-Forwarded-For: 192.168.1.108" -b "SMCHALLENGE=YES;" -c cookie-jar.txt -v -u jsmith:CAdemo123 http://sps.training.com/xforwardedfor/allheaders.php

The backend Web Agent Apache server receives the following headers:

+13735:63e26898:d|GET /xforwardedfor/allheaders.php X-Forwarded-For:192.168.1.108, 192.168.1.111

and the Web Agent reports:

[02/07/2023][16:03:10][13629][293578496][CSmHttpPlugin.cpp:5975][CSmHttpPlugin::ResolveClientIp][][][][][][][][Resolved Client IP address '192.168.1.111' from header 'X-Forwarded-For'.]

Note that Apache set the client IP at the second position. No Web Agent is running on the Proxy.

When setting 2 reverse proxies in front of the Web Agent, the X-Forwarded-For gets multiple values, the first one being always the IP of the browser as we've seen in the Mozilla documentation (2).

But as long as the Web Agent has RequireClientIP set to no, it will allow the request, and the Policy Server will set the IP to UNKNOWN.

 

Resolution

 

As the CustomIPHeader does accept only 1 IP Address as per security concerns (1), configure the Reverse Proxy, or the services in front of the Web Agent to only pass 1 value and always the same one to the X-Forwarded-For header, so the Web Agent can accept it and pass it to the Policy Server.

 

Additional Information

 

(1)

    How to set the Client IP in smaccess logs of the Policy Server
    

(2)

    X-Forwarded-For