How To

How do I configure IG/OpenIG (All versions) to pass the client IP address to downstream applications when proxying requests?

Last updated Aug 10, 2020

The purpose of this article is to provide information on configuring IG/OpenIG to pass the client IP address to downstream applications (such as AM/OpenAM) when proxying requests. Typically proxies use the X-Forwarded-For header to pass this information; the downstream application must also be configured to make use of this header.

1 reader recommends this article

Overview

IG/OpenIG can be configured to pass the original IP address of the client by using the X-Forwarded-For HTTP header field. The downstream application must also be configured to consume the header and make use of this information, which is outside the scope of this article.

Note

If the downstream application is AM/OpenAM, you can set the com.sun.identity.authentication.client.ipAddressHeader advanced configuration property to X-Forwarded-For to achieve this. See Setup Guide › Handling HTTP Request Headers for further information.

Example scenario

The following example demonstrates a use case where IG/OpenIG would need to pass the client IP address when proxying requests:

  • All incoming requests are handled by IG/OpenIG and proxied to AM/OpenAM.
  • AM/OpenAM has been configured to use different authentication methods depending on the client IP address.

The following section explains how you can configure IG/OpenIG to pass the client IP address.

Configuring IG/OpenIG to pass the client IP address

The ClientContext can be used to supply information about the client sending a request. When IG/OpenIG receives a request, it injects information about the client sending the request into this context.

You can configure this context as follows:

  1. Update the config.json file (located in the $HOME/.openig/config/ directory) to add this context. The following example proxies all the requests and captures the headers of the request being made: 
      "heap": [
    {
      "name": "ClientIPHeaderHandler",
      "type": "Chain",
      "config": {
        "filters": [
          {
            "type": "HeaderFilter",
            "config": {
              "messageType": "REQUEST",
              "add": {
                "X-Forwarded-For": [
                  "${contexts.client.remoteAddress}"
                ]
              }
            }
          }
        ],
        "handler": {
          "name": "CaptureClientHandler",
          "type": "ClientHandler",
          "capture": "all"
        }
      }
    }
  ]
}
  2. Update the relevant route (for example, 99-default.json) to use the handler specified in step 1. For example: 
    {
    "handler": "ClientIPHeaderHandler",
    "capture": "all"
}

Capture log

You can trace the flow in the capture log. Based on the above example, you can see the request coming in from the browser and then the request being made by IG/OpenIG to the proxied application with the additional header: 

[qtp96639997-17] INFO  o.f.o.d.c.C.c.top-level-handler - 
--- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --->

GET http://localhost:8080/examples/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Host: app.example.com:7070
If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT
If-None-Match: W/"1209-1357811672000"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

[qtp96639997-17] INFO  o.f.o.d.c.C.c.CaptureClientHandler - 

--- (request) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 --->

GET http://localhost:8080/examples/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB;q=1,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Host: app.example.com:7070
If-Modified-Since: Thu, 10 Jan 2013 09:54:32 GMT
If-None-Match: W/"1209-1357811672000"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
X-Forwarded-For: 192.0.2.0

[I/O dispatcher 9] INFO  o.f.o.d.c.C.c.CaptureClientHandler - 

<--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---

HTTP/1.1 304 Not Modified
Date: Wed, 14 Nov 2018 18:24:19 GMT
ETag: W/"1209-1357811672000"
Server: Apache-Coyote/1.1

[I/O dispatcher 9] INFO  o.f.o.d.c.C.c.top-level-handler - 

<--- (response) id:23a32cc8-3452-44a1-af64-867b2371dfaa-14 ---

HTTP/1.1 304 Not Modified
Date: Wed, 14 Nov 2018 18:24:19 GMT
ETag: W/"1209-1357811672000"
Server: Apache-Coyote/1.1

[qtp96639997-15] INFO  o.f.o.d.c.C.c.top-level-handler -

See Also

How do I configure IG/OpenIG (All versions) to retrieve the user certificate and pass it to AM/OpenAM in the HTTP header?

Installing and configuring IG/OpenIG

Configuration Reference › Chain

Configuration Reference › Route

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...