Plugin: X-Forwarded-For edit

Purpose

Use this plugin if you are detecting incorrect forwarding IP addresses in your analytics or IP restrictions. This plugin can be used to remove some IP addresses from the X-Forwarded-For header of HTTP search requests.

Historically, the client’s remote address has been used as their IP address, however if the request has passed through any proxies then this header carries the IP address of the last proxy rather than the client’s originating address, resulting in the wrong IP address being recorded.

he X-Forwarded-For HTTP header is used to get around this problem. The X-Forwarded-For header contains a list of IP addresses recording the various hops that the request went through before reaching the search server.

In a complex scenario, a request can go through multiple hops:

  • Proxy server of the client, to the CMS

  • CMS to the Funnelback load balancer (partial HTML example)

  • Funnelback load balancer to the actual backend server

When looking at the X-Forwarded-For header value, the first IP address will be the one closer to the client

X-Forwarded-For should not be trusted for access restriction as it can be easily spoofed.

In the example below:

X-Forwarded-For: 1.2.3.4,5.6.7.8,9.10.11.12

the X-Forwarded-For header would have 3 values:

  1. The IP address of the client proxy (1.2.3.4)

  2. The IP address of the CMS (5.6.7.8)

  3. The IP address of the load balancers (9.10.11.12)

Another example is when Funnelback is put behind a content delivery network such as Akamaï:

  • Client makes a request to the Funnelback domain name, that sends to Akamaï

  • Akamaï makes a request to Funnelback load balancers on behalf of the client

  • Load balancers forward the request to the actual backend server

In all these cases it is desirable to only retain the IP address of the original client to ensure accurate analytics. Funnelback has partial support for this with logging.ignored_x_forwarded_for_ranges that will cause the last IP address (load balancer → backend server) to be scrubbed. Multiple IP addresses may remain however and there’s no easy way to control which one should be kept.

For the example, in the Akamaï case, it would not be practical to configure all the possible IP addresses of Akamaï (hundreds) to be ignored. A better approach instead is to simply ignore the last X-Forwarded-For value and consider the one before last, as it will be the one of the client that issued the request to Akamaï.

When to use this plugin

Use this plugin when an intermediate network hop gets included in the X-Forwarded-For header resulting in an incorrect value being detected for the remote user’s IP address.

An incorrect X-Forwarded-For value can result in the incorrect operation of features that are based on the user’s IP address including:

  • Search usage analytics

  • Curator

  • Predictive segmentation

  • Collection-level security (IP address-based access restriction)

Usage

Enable the plugin

  1. Select Plugins from the side navigation pane and click on the X-Forwarded-For edit tile.

  2. From the Location section, select the results page to which you would like to enable this plugin from the Select a results page select list.

The plugin will take effect as soon as you finish running through the plugin setup steps.

Configuration settings

The configuration settings section is where you do most of the configuration for your plugin. The settings enable you to control how the plugin behaves.

The configuration key names below are only used if you are configuring this plugin manually. The configuration keys are set in the results page configuration to configure the plugin. When setting the keys manually you need to type in (or copy and paste) the key name and value.

IP address removal mode

Configuration key

plugin.x-forwarded-for-edit.config.mode

Data type

string

Allowed values

RemoveFirst,RemoveLast,KeepFirst

Required

This setting is required

Specifies the mode of operation. If not set, this plugin does nothing. Acceptable values are: 'RemoveFirst', 'RemoveLast', 'KeepFirst'.

  • RemoveFirst: Remove the first X-Forwarded-For IP address

  • RemoveLast: Remove the last X-Forwarded-For IP address

  • KeepFirst: Keep only the first X-Forwarded-For IP address.

Examples

In this example, a client require passes through a proxy with IP address 2.2.2.2. This is logged alongside the client’s actual IP address.

To keep only the first IP address from the X-Forwarded-For header for search requests, set:

Configuration setting Value

IP address removal mode

KeepFirst

which will result in the X-Forwarded-For header for a search request being modified from:

X-Forwarded-For: 1.1.1.1,2.2.2.2

to

X-Forwarded-For: 1.1.1.1

This results in the detect IP for features like search analytics and curator being based of the 1.1.1.1 IP address.

Change log

[1.1.0]

Changed

  • Updated to the latest version plugin framework (Funnelback shared v16.20) to enable integration with the new plugin management dashboard.