问题
We have below technical stack
- Imperva WAF
- API Management
- WebApi in WebApp
This is current implementation
- Client IPs are authenticated at WAF level
- WAF IPs are whitelisted at APIM
- APIM IP is whitelisted at WebApp level
Everything is working fine and as expected.
Now when i went to APIM -> Analytics -> Request, i see WAF IPs are listed here and not the client ones. So in this case we will not be able to track who is using what
I know we have option to track thru subscription key, but that is not enough.
Can anybody please suggest how to configure to get correct IPs?
回答1:
I believe you can find your answer in here. You merely need to configure your server to retrieve the correct IP from the relevant header.
Quoting the relevant part:
Original Client IP is required In case your application requires a real client IP address, please make sure you have enabled retrieval of this value from either: "X-Forwarded-For" or "Incap-Client-IP" header. When working with Imperva your server will see Imperva IPs instead of real client IPs. However, Imperva inserts by default the original client IP address into two HTTP headers: "X-Forwarded-For" and Imperva header "Incap-Client-IP".
But notice, you should take the first IP in a given XFF value, otherwise, the use of the second header real-client-IP might be affected by 3rd party proxies, etc.
Hope that helps.
回答2:
After raising support request to Microsoft, we got what we want
This is how we accomplished
- When Imperva WAF calls APIM endpoint, it also passes Incap-Client-IP in header
- Within APIM -> APIs -> All APIs -> Settings -> Enter header property you want to add in request log of App Insights
- Under request log -> custom dimension -> you can see InCap-Client-IP property is added in App Insights
Now we can export this in csv format and can track usage based on client IP.
回答3:
This is not possible with built-in reports in Azure APIM. If you can make WAF forward client IP to APIM in header then you could build your own reporting infrastructure, but that would be pretty elaborate.
来源:https://stackoverflow.com/questions/56597347/azure-api-management-how-to-get-original-ip-when-apm-is-behind-waf