| Description | This article describes inbound proxy settings for source address detection, |
| Scope | |
| Solution |
From version 6.3.1 FortiAuthenticator allows the administrator to specify which HTTP header(s) may or may not be used to retrieve the source IP address of an HTTP request.
This is useful option if there is a reverse proxy in front of FortiAuthneticator. For example, if SAML subnets has been trusted in 'Bypass FortiToken authentication when user is from a trusted subnet', then source user IP is unknown until the Get proxy IP from X_FORWARDED_FOR HTTP header (if available) is turnt on.
The Edit System Access Settings page in System -> Administration -> System Access has a new Inbound Proxy pane with related settings.
1) Get proxy IP from FORWARDED HTTP header (if available) - Enable to get the proxy IP address from the FORWARDED HTTP header when available.
2) Configure valid FORWARDED 'by' values - Enable to specify a list of valid "by" identifiers for the FORWARDED header, separated by a comma or a new line.
This determines the client IP address used while logging in and can be used to determine if a proxy IP address is trusted in some security features (e.g. trusted subnets for SAML IdP and admin GUI access and user portal adaptive authentication, etc).
Note. This option provides a way to select the correct source IP address in case of a chain of inbound proxy. It also provides additional protection against spoofing.
3) Get proxy IP from X_FORWARDED_FOR HTTP header (if available) - Enable to get the proxy IP address from the X-FORWARDED_FOR HTTP (non-standard equivalent of FORWARDED+ 'for') header when available.
Note. When Get proxy IP from FORWARDED HTTP header (if available) and Get proxy IP from X_FORWARDED_FOR HTTP header (if available) options are enabled, FortiAuthenticator looks for a matching 'FORWARDED' header and only uses the 'X_FORWARDED_FOR' header if a valid 'FORWARDED' header is not present. |
