How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure IG (All versions) to pass the client IP address to downstream applications when proxying requests?

Last updated Apr 7, 2021

The purpose of this article is to provide information on configuring IG to pass the client IP address to downstream applications (such as AM) when proxying requests. Typically, proxies use the X-Forwarded-For header to pass this information; the downstream application must also be configured to make use of this header.

2 readers recommend this article

Overview

IG can be configured to pass the original IP address of the client by using the X-Forwarded-For HTTP header field. The downstream application must also be configured to consume the header and make use of this information, which is outside the scope of this article.

Note

If the downstream application is AM, you can set the com.sun.identity.authentication.client.ipAddressHeader advanced configuration property to X-Forwarded-For to achieve this. See Setup Guide › Handling HTTP Request Headers for further information.

Example scenario

The following example demonstrates a use case where IG would need to pass the client IP address when proxying requests:

  • All incoming requests are handled by IG and proxied to AM.
  • AM has been configured to use different authentication methods depending on the client IP address.

The following section explains how you can configure IG to pass the client IP address.

Configuring IG to pass the client IP address

The ClientContext can be used to supply information about the client sending a request. When IG receives a request, it injects information about the client sending the request into this context.

You can configure this context as follows:

  1. Update the config.json file (located in the $HOME/.openig/config/ directory) to add this context. The following example proxies all the requests and captures the headers of the request being made: "heap": [    {       "name": "ClientIPHeaderHandler",       "type": "Chain",       "config": {         "filters": [           {             "type": "HeaderFilter",             "config": {               "messageType": "REQUEST",               "add": {                 "X-Forwarded-For": [                   "${contexts.client.remoteAddress}"                 ]               }             }           }         ],         "handler": {           "name": "CaptureClientHandler",           "type": "ClientHandler",           "capture": "all"         }       }     }   ] }
  2. Update the relevant route (for example, 99-default.json) to use the handler specified in step 1. For example: {    "handler": "ClientIPHeaderHandler",     "capture": "all" }

Capture log

You can trace the flow in the capture log. Based on the above example, you can see the request coming in from the browser and then the request being made by IG to the proxied application with the additional header: 

[qtp96639997-17] INFO o.f.o.d.c.C.c.top-level-handler - --- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---> GET http://localhost:8080/examples/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Host: app.example.com:7070 If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT If-None-Match: W/"1209-1357811672000" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 [qtp96639997-17] INFO o.f.o.d.c.C.c.CaptureClientHandler -  --- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---> GET http://localhost:8080/examples/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Host: app.example.com:7070 If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT If-None-Match: W/"1209-1357811672000" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 X-Forwarded-For: 192.0.2.0 [I/O dispatcher 9] INFO o.f.o.d.c.C.c.CaptureClientHandler -  <--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --- HTTP/1.1 304 Not Modified Date: Wed, 14 Nov 2018 18:24:19 GMT ETag: W/"1209-1357811672000" Server: Apache-Coyote/1.1 [I/O dispatcher 9] INFO o.f.o.d.c.C.c.top-level-handler -  <--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --- HTTP/1.1 304 Not Modified Date: Wed, 14 Nov 2018 18:24:19 GMT ETag: W/"1209-1357811672000" Server: Apache-Coyote/1.1 [qtp96639997-15] INFO o.f.o.d.c.C.c.top-level-handler -

See Also

How do I configure IG (All versions) to retrieve the user certificate and pass it to AM in the HTTP header?

Installing and configuring IG

Configuration Reference › Chain

Configuration Reference › Route

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...