Waf Charm

Blog

WafCharm

WafCharm now supports the XFF header option in AWS WAF

【Table of contents】

  1. 1. Introduction
  2. 2. What is the XFF Header Option?
  3. 3. How to Configure with WafCharm
  4. 4. Notes
  5. 5. Conclusion

1. Introduction

In AWS WAF, IP control by HTTP header fields such as X-Forwarded-For was enabled in July of 2020, and this is a brief overview of how to configure it in WafCharm.

2. What is the XFF Header Option?

From the perspective of the Application Load Balancer (ALB), which is placed behind a Content Distribution Network (CDN), the IP address of the connection source is the IP address of the CDN.
Since it is not the IP address of the origin of the access, the AWS WAF attached to the ALB cannot control access by IP address in this case.

To solve this problem, using HTTP header fields such as X-Forwarded-For (XFF), it's possible to see IP address of the client even if it goes through an intermediate device like CDN.

3. How to Configure with WafCharm

Prerequisites
The XFF header option can be selected in the Web ACL Config settings screen with the initial rules applied. To check the application status of the rule, please check Web ACL directly from the AWS Management Console.
If you have any questions, please contact our support team.

In the Web ACL Config screen where the rule is applied, you'll see a seeting labelled "Originating address." The default setting is to use the source IP address.

Open the edit screen and switch the "Originating address" from "Source IP address" to "IP address in header."

After switching, you can enter the header name. By default, "X-Forwarded-For" is entered.

Save the file to complete the change.

It's also possible to use a header such as "True-Client-IP" instead of "X-Forwarded-For."
It's not case-sensitive.

4. Notes

About the setting range on WafCharm dashboard

The WafCharm dashboard can only be used to set the destination of the WafCharm whitelist/blacklist. If you want to change the settings of customized rules, please contact our support representatives.

About the Time it Takes for Changes to Apply

The changes will be applied to your web ACL immediately after saving them. However, If you don't want it to interfere with your service, change the settings before starting the operation or during the maintenance period.

About the Automatic Blacklist Management Function

If you use the XFF header option, meaning if you specify "IP address in header" for "Originating address," you can use the blacklist features specified below.

  • Blacklist IP address specified in the WafCharm administration page
  • Blacklist IP addresses calculated by CSC IP reputation will be blocked from detection

However, you will not be able to use the re-matching feature to update the IP addresses because the IP addresses from specific headers like X-Forwarded-For will not be available in the access logs and cannot detect the correct IP addresses.

About Registering the Access Log

Even if you use the IP control function in the HTTP header field such as X-Forwarded-For, the access log of Web ACL registered devices is required for cost calculation. Do not use a device without an access log transfer.

About Using with Control by Source IP Address
In the WafCharm management screen, you can only select either the control by source IP address or the IP control by HTTP header field such as X-Forwarded-For. If you need to use both of them, please create and manage one of them as your rule.

About HTTP header fields
Some CDN vendors add their own headers to pass the IP address of the client (origin) or proxy to the server when passing through. Each vendor discloses which header should be used and the format of the IP address to be listed, so please check on your side.

Since there are multiple points to note as described above, if you are using CloudFront, we recommend a configuration in which AWS WAF is installed in CloudFront, rather than in the subsequent ALB.

You can find more information on the HELP page, so if you already have a WafCharm account, please refer to this page as well.

5. Conclusion

This is a long-awaited feature for customers who use CDNs such as CloudFront and who want to integrate the WAF function into the Web ACL attached to the ALB. Please check the cautions before using this feature.