Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 30 subscribers
  • Views 4684 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preserve or retain client IP through WAF

djb-sophos

Hello,

I've done some searching on here and many posts I find are 5-10 years old and/or the original poster never came back to confirm whatever was suggested fixed their issue or not. And, for reasons beyond me, these threads are locked so you cannot even chime in to ask if what they did fixed it or not, so here I am.

We just set up WAF and now client IPs are all showing the IP of the Sophos Firewall. How can we preserve or retain the original client IP? We have a few scenarios where something on our web app is revealed to them based on their IP, but now all traffic is showing coming from the LAN IP of the Sophos.

I found one suggestion to make sure "Pass host header" is checked, and other suggestions to use X-Forwarded-For in IIS. Does anyone know what exactly needs to be done? I'm asking here before I simply click the Pass host Header checkbox and/or do the X-Forwarded-For thing, to get some feedback first.

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    It's good to enable the "Pass host header" since lots of applications won't work without it, the WAF will send the real IPv4 of the client independent of this configuration through the X-Forwarded-For HTTP Header.

    Depending on the scenario there are multiple ways to preserve the real IPv4, but all of them depends on what application or reverse proxy you're currently running behind It. Most of them will use the explicit HTTP Header by default.

    But on some other setups, this can be different. As an example, my setup currently looks like this: WAF => Nginx => Web Application.

    Since I want for Nginx to send the real IPv4 that came from WAF to the web app, I've added this snippet in my server config . (And some other Headers to fix certain issues.)

    # Get Real IPv4 behind WAF.
real_ip_header X-Forwarded-For;
set_real_ip_from 10.10.10.1;

# Use HTTP 1.1 since Default is HTTP 1.0.
proxy_http_version 1.1;

# Necessary Headers for Proxy.
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

# Dont Redirect.
proxy_redirect off;

# Dont Buffer.
proxy_buffering off;
proxy_request_buffering off;

    Anyways, what exactly are you running behind the WAF?

Reply
  • +1

    It's good to enable the "Pass host header" since lots of applications won't work without it, the WAF will send the real IPv4 of the client independent of this configuration through the X-Forwarded-For HTTP Header.

    Depending on the scenario there are multiple ways to preserve the real IPv4, but all of them depends on what application or reverse proxy you're currently running behind It. Most of them will use the explicit HTTP Header by default.

    But on some other setups, this can be different. As an example, my setup currently looks like this: WAF => Nginx => Web Application.

    Since I want for Nginx to send the real IPv4 that came from WAF to the web app, I've added this snippet in my server config . (And some other Headers to fix certain issues.)

    # Get Real IPv4 behind WAF.
real_ip_header X-Forwarded-For;
set_real_ip_from 10.10.10.1;

# Use HTTP 1.1 since Default is HTTP 1.0.
proxy_http_version 1.1;

# Necessary Headers for Proxy.
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

# Dont Redirect.
proxy_redirect off;

# Dont Buffer.
proxy_buffering off;
proxy_request_buffering off;

    Anyways, what exactly are you running behind the WAF?

Children