Controlling IP addresses from setting X-Forwarded-For

You can restrict which source IP addresses are allowed to set the ’X-Forwarded-For’ HTTP request header. The GLF ALLOWED PROXIES variable (Manage the system > Policies > Options) uses a comma-delimited list of CIDR bitmasks of connection source IP addresses and ranges from which an ’X-Forwarded-For’ HTTP request header is to be trusted. This prevents any HTTP client from avoiding IP lockout by pretending to forward to random IP addresses.

If a connecting peer does not specify the HTTP request header, its IP address is considered the true source address for IP-lockout considerations.

If a connecting peer specifies the HTTP request header, and its IP address is specified in GLF ALLOWED PROXIES , then the HTTP request header value is considered the true source IP address, rather than the connecting peer’s IP address.

If a connecting peer specifies the HTTP request header, but its IP address is not specified in GLF ALLOWED PROXIES , then the connecting peer’s IP address is considered the true source address for IP-based lockout policy, and a warning is written to the Logging Service regarding a possible spoofing attack.