True Client IP in L7 Security Features

Overview

A proxy identifies client IP from Layer-3 header of incoming connection. However, it is not always the actual client IP address. In a situation where there are proxies between actual client and NSX Advanced Load Balancer (previously known as Avi Vantage), intermediary proxy always adds source IP address of incoming connection into “X-Forwarded-For” header and replaces the source IP address with its own IP address as source IP in the layer-3 header while forwarding the request to the actual destination.

Using the true client IP feature enables fetching the actual client IP address from “X-Forwarded-For” or from a user-defined header and track the actual client IP address into logs or configure policies such as HTTP Security, HTTP Request etc. based on the true client IP address.

Advantages of Using True Client IP

You can log actual client IP address in the application logs at NSX Advanced Load Balancer.
The actual client IP address can be shared with actual server (NSX ALB can add identified actual client IP as X-Forwarded-For, server can be configured to parse it).
You can configure HTTP policy, SSO policy etc. based on the actual client IP address.

True Client IP in NSX Advanced Load Balancer

With the implementation of true client IP, the following are supported:

Source IP is always the IP address from the IP header of the downstream connection (incoming)
Client IP is derived based on user configuration. It could be derived from the X-Forwarded-For or a user specified header, or it could be the same as Source IP.

With true client IP, the behavior is as shown below:

True Client IP Configuration	Header Parameter	Direction Parameter	Index Count Parameter	Behaviour
Disabled (Default)	X-Forwarded-For (Default)	Left (Default)	1 (Default)	Client IP=Source IP
Enabled	True-User-IP(User defined)	Left (Default)	1 (Default)	Client IP is the IP fetched from user defined header “True-User-IP” or from layer 3 header in case user defined header not found in the request or formatting error etc. Source IP is aways from layer 3 header

For L4 applications, Source-IP and Client-IP would always be the same. In case of HTTP applications, it can be different. By default, the feature is disabled. After enabling true client IP, specify the desired header from where client IP should be fetched.
In case user don’t define any header, it would be fetched from X-Forwarded-For header. The specified header needs to have a format of a comma-separated list of IP addresses as header value. If the format is not such, it will be ignored.

For example, the format (header value format) is
X-Forwarded-For: 1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4
You can configure only one header as of now to fetch client IP.

Configuring True Client

Starting with NSX Advanced Load Balancer 22.1.3, True Client IP can be enabled and configured using the UI.

To enable True Client IP from the UI,

Navigate to Templates > Profiles > Application.
Create or edit an Application Profile of type HTTP.
Click Enable True Client IP.
Select the Index Direction to define which direction the client IP index must be counted from.
Enter the index of the entry to be picked from the specified header’s values. The default value is 1 and the first IP value from the user-specified header in the direction specified in the Index Direction will be picked if the value is 1. On increasing the Index in Header value, the IP that corresponds to the index value will be picked. For example, if the Index in Header is 3, the third IP from the specified direction will be picked.
Under Headers to Find True Client IP, click Add and enter a list of IP Addresses. If no IP address is entered and if Enable True Client IP is selected, then the X-Forwarded-For header, if available, is used.
Configure the other fields and click Save.

Follow the steps below to configure True Client IP in NSX Advanced Load Balancer using the CLI

Enabling True Client IP

Enable the use_true_client_ip field for the desired custom HTTP profile.

Access the Avi CLI by logging into the Avi Shell.

Configure the custom HTTP profile by using the command


configure applicationprofile <name of the custom http profile>

To enable True Client IP,
```
http_profile use_true_client_ip
```

Configuring the Parameters

Use the following parameters with the true_client_ip parameter: * Headers (optional), define the desired HTTP header from where client IP needs to be fetched. If not specified, by default, “X-Forwarded-For” is configured. * Direction (optional), define the direction to count the IPs in the specified header value. By default, the value is Left. * Index_in_header (optional), define the position in the configured direction in the specified header’s value. By default, the value is 1.

Define the parameters for True_Client_IP (header name, direction and index in the header) as shown below:

true_client_ip headers <name of the header> <direction> <index in the header>

Note: The valid range for true client IP index is 1-1000.

After configuring the parameters as required, save the configuration.

Use cases

The following features can be configured to use actual client IP:

HTTP Policies
- HTTP Security/Request/Response policy match based on client IP can be configured.
DataScripts – Client IP based API, Rate limiting API

The following features are affected after enabling True Client IP.

Application logs
- Client IP (v4 and v6) in Application Log
Analytics Policy
- Client Log filter match for Client IP
- RUM/ Client Insights Sampling – Client IP address to check when inserting RUM script
Rate Limit based on client IP
Compression Filter based on client IP
Match based on client IP in SSO policy
Allow list based on client IP in WAF policy
WAF – Modsec rules
Allow list based on client IP in Bot Management Policy
IP Reputation
Geo Location based features
True Client IP in DOS Analytics reports

Upgrade

By default, True Client IP is disabled. So on upgrading NSX Advance Load Balancer version 21.1.3, all instances where client IP is referred to will refer to Source IP and no change in behaviour is evident. If True Client IP is enabled later, then all the instances which refer to client IP, will refer to True Client IP. To use Source IP specifically in any such places, explicitly change the configuration to do so.

Examples

True Client IP Configuration	Header Parameter	Direction Parameter	Index Count Parameter	Request Details	Behaviour
Enabled	X-Forwarded-For	Left	3	X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4	Client IP = 3.3.3.3 Source IP=from layer-3 header
Enabled	X-Forwarded-For	Left	4	X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4	Client IP = 4.4.4.4 Source IP=from layer-3 header
Enabled	X-Forwarded-For	Left	5	X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4	Client IP = 4.4.4.4 Source IP=from layer-3 header
Enabled	X-Forwarded-For	Left	4	X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3,4.4.4.4 X-Forwarded-For: 10.10.10.10, 172.16.1.1,192.168.1.1	Client IP = 4.4.4.4 Source IP=from layer-3 header
Enabled	True-Client-IP	Left	4	X-Forwarded-For: 1.1.1,2.2.22,3.3.3.3,4.4.4.4	Client IP = Source IP = from layer-3 header
Enabled	True-Client-IP	Left	4	X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3,4.4.4.4 True-Client-IP: 10.10.10.10, 172.16.1.1, 192.168.1.1	Client IP = 192.168.1.1 Source IP=from layer-3 header
Enabled	Not Configured (Default)	Left	3	X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4	Client IP = 3.3.3.3 Source IP=from layer-3 header
Enabled	X-Forwarded-For	Not Configured (Default)	3	X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4	Client IP = 3.3.3.3 Source IP=from layer-3 header
Enabled	X-Forwarded-For	Left	2	X-Forwarded-For: 1.1.1,2-2,3.3.3.3,4.4.4.4	Client IP = Source IP = from layer-3 header
Enabled	X-Forwarded-For	Left	2	X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4	Client IP = 2.2.2.2 Source IP=from layer-3 header
Enabled	True-Client-IP	Left	2	X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4	Client IP = Source IP = from layer-3 header

Document Revision History

Date	Change Summary
December 20, 2021	Created the feature KB for True Client IP in L7 Security Features (version 21.1.3)