Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Allow X-Forwarded-For Headers to Site or No?

Posted on 2016-10-24
3
Medium Priority
?
146 Views
Last Modified: 2016-10-25
So, this one is new for me and I need a breakdown on it.  I already Google'd about it but I want a answer from someone knowledgable in this matter.

We host multiple sites for clients.  The sites are on IIS servers behind a load balancer.  One of the sites we host is having issues when their customers try to access it behind a proxy.  They can access it when they disable "X-Forwarded-For" option on the proxy but can't access it when they enable.  

My question to you is should we enable it for these users?  I ready that hackers can use that option if they breach your network and can use it to spoof the IP they came in on.  So obviously for us this is a security issue.

I'm not even 100% sure where to enable this, I believe I would do it on the actual web server and not the firewall, but I need advice on the ramifications of if I do it to begin with.
0
Comment
Question by:cshepfam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 41857861
On a proxy configuration X-forwarded-For deals with when proxies are chained.

Without understanding your situation it is hard to answer your question
Depending on your loadbalancer, you could add the X-Forwarded-FOR to the loadbalancer.

Direct access client would not care about this header entry, the proxy may benefit..

Are their proxy chained? local proxy that connects to another of their proxy at HQ which in turns contacts your loadbalaner, passing data to the IIS instance, etc.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41857873
Indeed the X-Forwarded-For (and User-Agent) HTTP headers can easily be spoofed by any user.

By default, to secure your site, it should reject any connections that are not from the IP of the proxy server (configure the web server or firewall to only accept the client IP of the proxy for web connections). That is likely why you have connection without enabling XFF header.

Also you should consider installing an SSL certificate onto the proxy, which each client machine can trust. This will enable the proxy server to decrypt traffic, add the appropriate IP address header (overwriting any set by the client) and then forward it onto your server. The server code can then safely check the XFF header to make sure it remains constant per user session.

HTTP header should not be used for any Access Control List (ACL) checks because it can be spoofed by attackers. Use the real IP address for this type of restrictions.
0
 
LVL 13

Author Closing Comment

by:cshepfam
ID: 41858824
Thank you for the explanation.  It was the one I was looking for.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question