How do I configure IG (All versions) to pass the client IP address to downstream applications when proxying requests?
The purpose of this article is to provide information on configuring IG to pass the client IP address to downstream applications (such as AM) when proxying requests. Typically, proxies use the X-Forwarded-For header to pass this information; the downstream application must also be configured to make use of this header.
3 readers recommend this article
Overview
IG can be configured to pass the original IP address of the client by using the X-Forwarded-For HTTP header field. The downstream application must also be configured to consume the header and make use of this information, which is outside the scope of this article.
Note
If the downstream application is AM, you can set the com.sun.identity.authentication.client.ipAddressHeader advanced configuration property to X-Forwarded-For to achieve this. See Handling HTTP Request Headers for further information.
Example scenario
The following example demonstrates a use case where IG would need to pass the client IP address when proxying requests:
- All incoming requests are handled by IG and proxied to AM.
- AM has been configured to use different authentication methods depending on the client IP address.
The following section explains how you can configure IG to pass the client IP address.
Configuring IG to pass the client IP address
The ClientContext can be used to supply information about the client sending a request. When IG receives a request, it injects information about the client sending the request into this context.
You can configure this context as follows:
- Update the config.json file (located in the $HOME/.openig/config/ directory) to add this context. The following example proxies all the requests and captures the headers of the request being made: "heap": [ { "name": "ClientIPHeaderHandler", "type": "Chain", "config": { "filters": [ { "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "X-Forwarded-For": [ "${contexts.client.remoteAddress}" ] } } } ], "handler": { "name": "CaptureClientHandler", "type": "ClientHandler", "capture": "all" } } } ] }
- Update the relevant route (for example, 99-default.json) to use the handler specified in step 1. For example: { "handler": "ClientIPHeaderHandler", "capture": "all" }
Capture log
You can trace the flow in the capture log. Based on the above example, you can see the request coming in from the browser and then the request being made by IG to the proxied application with the additional header:
[qtp96639997-17] INFO o.f.o.d.c.C.c.top-level-handler - --- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---> GET http://localhost:8080/examples/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Host: app.example.com:7070 If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT If-None-Match: W/"1209-1357811672000" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 [qtp96639997-17] INFO o.f.o.d.c.C.c.CaptureClientHandler - --- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---> GET http://localhost:8080/examples/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Host: app.example.com:7070 If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT If-None-Match: W/"1209-1357811672000" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 X-Forwarded-For: 192.0.2.0 [I/O dispatcher 9] INFO o.f.o.d.c.C.c.CaptureClientHandler - <--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --- HTTP/1.1 304 Not Modified Date: Wed, 14 Nov 2018 18:24:19 GMT ETag: W/"1209-1357811672000" Server: Apache-Coyote/1.1 [I/O dispatcher 9] INFO o.f.o.d.c.C.c.top-level-handler - <--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --- HTTP/1.1 304 Not Modified Date: Wed, 14 Nov 2018 18:24:19 GMT ETag: W/"1209-1357811672000" Server: Apache-Coyote/1.1 [qtp96639997-15] INFO o.f.o.d.c.C.c.top-level-handler -See Also
Related Training
N/A
Related Issue Tracker IDs
N/A