RemoteIPHeader, RemoteIPInternalProxy & RemoteIPTrustedProxy
When EZproxy is installed behind load balancers and network proxies, the IP address of the incoming connection to EZproxy may reflect the address of these devices instead of the remote user’s IP address. These devices are often able to insert a header to indicate the remote user’s IP address, typically using the header X-Forwarded-For.
EZproxy supports Option AcceptX-Forwarded-For to tell EZproxy to trust this header regardless of the source IP address from which it arrives. This directive continues to be available to enable the old behavior. If any RemoteIPInternalProxy or RemoteIPTrustedProxy directives are present, they automatically override Option AcceptX-Forwarded-For with the new behavior.
In EZproxy V6.3, config.txt directives were created to make the decision on when to accept these headers and how to parse them.
RemoteIPHeader [header]
This directive tells EZproxy what header to examine for IP addresses. If not specified, the default header used is X-Forwarded-For. This presence of this directive alone does not enable X-Forwarded-For processing.
RemoteIPInternalProxy [ip-address OR range]
RemoteIPTrustedProxy [ip-address OR range]
RemoteIPInternalProxy and RemoteIPTrustedProxy accept one or more IP address ranges which can be specified as a single IP address (e.g., 192.168.1.10), two IP addresses separated by a hyphen (e.g., 192.168.1.10-192.168.1.15), or an IP address range in CIDR notation (e.g., 192.168.1.0/24).
Both directives authorize EZproxy to evaluate an X-Forwarded-For header that appears in a request from an IP address that appears within one of the specified ranges.
When EZproxy is authorized to evaluate X-Forwarded-For, it examines the IP addresses present in the header from right to left. Each IP address is evaluated under these conditions:
- If the IP address is invalid, EZproxy ignores the X-Forwarded-For header and stops processing.
- If the IP address does not fall within one of the ranges specified by these directives, EZproxy uses this as the remote user’s IP address and stops processing.
- If the IP address is a private address and does not match a RemoteIPInternalProxy range, EZproxy uses this as the remote user’s IP address and stops processing.
- EZproxy ignores the current address. If there is another address to the left, it is evaluated using the previous steps.
- If all addresses are skipped, EZproxy ignores the X-Forwarded-For header and stop processing.
Syntax
RemoteIPHeader [header]
RemoteIPInternalProxy [ip-address OR range]
RemoteIPTrustedProxy [ip-address OR range]
Examples
RemoteIPHeader Custom-Header-Name
RemoteIPInternalProxy 127.0.0.1
RemoteIPTrustedProxy 192.168.1.0/24
RemoteIPTrustedProxy 192.168.0.0-192.168.255.255