Using forwarded IP addresses in Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using forwarded IP addresses in Amazon WAF

This section applies to rule statements that use the IP address of a web request. By default, Amazon WAF uses the IP address from the web request origin. However, if a web request goes through one or more proxies or load balancers, the web request origin will contain the address of the last proxy, and not the originating address of the client. In this case, the originating client address is usually forwarded in another HTTP header. This header is typically X-Forwarded-For (XFF), but it can be a different one.

Rule statements that use IP addresses

The rule statements that use IP addresses are the following:

  • IP set match - Inspects the IP address for a match with the addresses that are defined in an IP set.

  • Geographic match - Uses the IP address to determine country and region of origin and matches the country of origin against a list of countries.

  • Using rate-based rule statements - Can aggregate requests by their IP addresses to ensure that no individual IP address sends requests at too high a rate. You can use IP address aggregation by itself or in combination with other aggregation keys.

You can instruct Amazon WAF to use a forwarded IP address for any of these rule statements, either from the X-Forwarded-For header or from another HTTP header, instead of using the web request's origin. For details on how to provide the specifications, see the guidance for the individual rule statement types.

Note

If the header that you specify isn't present in the request, Amazon WAF doesn't apply the rule to the web request at all.

Fallback behavior

When you use the forwarded IP address, you indicate the match status for Amazon WAF to assign to the web request if the request doesn't have a valid IP address in the specified position:

  • MATCH - Treat the web request as matching the rule statement. Amazon WAF applies the rule action to the request.

  • NO MATCH - Treat the web request as not matching the rule statement.

IP addresses used in Amazon WAF Bot Control

The Bot Control managed rule group verifies bots using the IP addresses from Amazon WAF. If you use Bot Control and you have verified bots that route through a proxy or load balancer, you need to explicitly allow them using a custom rule. For example, you can configure a custom IP set match rule that uses forwarded IP addresses to detect and allow your verified bots. You can use the rule to customize your bot management in a number of ways. For information and examples, see Amazon WAF Bot Control.

General considerations for using forwarded IP addresses

Before you use a forwarded IP address, note the following general caveats:

  • A header can be modified by proxies along the way, and the proxies might handle the header in different ways.

  • Attackers might alter the contents of the header in an attempt to bypass Amazon WAF inspections.

  • The IP address inside the header can be malformed or invalid.

  • The header that you specify might not be present at all in a request.

Considerations for using forwarded IP addresses with Amazon WAF

The following list describes requirements and caveats for using forwarded IP addresses in Amazon WAF:

  • For any single rule, you can specify one header for the forwarded IP address. The header specification is case insensitive.

  • For rate-based rule statements, any nested scoping statements do not inherit the forwarded IP configuration. Specify the configuration for each statement that uses a forwarded IP address.

  • For geo match and rate-based rules, Amazon WAF uses the first address in the header. For example, if a header contains 10.1.1.1, 127.0.0.0, 10.10.10.10 Amazon WAF uses 10.1.1.1

  • For IP set match, you indicate whether to match against the first, last, or any address in the header. If you specify any, Amazon WAF inspects all addresses in the header for a match, up to 10 addresses. If the header contains more than 10 addresses, Amazon WAF inspects the last 10.

  • Headers that contain multiple addresses must use a comma separator between the addresses. If a request uses a separator other than a comma, Amazon WAF considers the IP addresses in the header malformed.

  • If the IP addresses inside the header are malformed or invalid, Amazon WAF designates the web request as matching the rule or not matching, according to the fallback behavior that you specify in the forwarded IP configuration.

  • If the header that you specify isn’t present in a request, Amazon WAF doesn’t apply the rule to the request at all. This means that Amazon WAF doesn't apply the rule action and doesn't apply the fallback behavior.

  • A rule statement that uses a forwarded IP header for the IP address won’t use the IP address that’s reported by the web request origin.

Best practices for using forwarded IP addresses with Amazon WAF

When you use forwarded IP addresses, use the following best practices:

  • Carefully consider all possible states of your request headers before enabling forwarded IP configuration. You might need to use more than one rule to get the behavior you want.

  • To inspect multiple forwarded IP headers or to inspect the web request origin and a forwarded IP header, use one rule for each IP address source.

  • To block web requests that have an invalid header, set the rule action to block and set the fallback behavior for the forwarded IP configuration to match.

Example JSON for forwarded IP addresses

The following geo match statement matches only if the X-Forwarded-For header contains an IP whose country of origin is US:

{ "Name": "XFFTestGeo", "Priority": 0, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "XFFTestGeo" }, "Statement": { "GeoMatchStatement": { "CountryCodes": [ "US" ], "ForwardedIPConfig": { "HeaderName": "x-forwarded-for", "FallbackBehavior": "MATCH" } } } }

The following rate-based rule aggregates requests based on the first IP in the X-Forwarded-For header. The rule counts only requests that match the nested geo match statement, and it only blocks requests that match the geo match statement. The nested geo match statement also uses the X-Forwarded-For header to determine whether the IP address indicates a country of origin of US. If it does, or if the header is present but malformed, the geo match statement returns a match.

{ "Name": "XFFTestRateGeo", "Priority": 0, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "XFFTestRateGeo" }, "Statement": { "RateBasedStatement": { "Limit": "100", "AggregateKeyType": "FORWARDED_IP", "ScopeDownStatement": { "GeoMatchStatement": { "CountryCodes": [ "US" ], "ForwardedIPConfig": { "HeaderName": "x-forwarded-for", "FallbackBehavior": "MATCH" } } }, "ForwardedIPConfig": { "HeaderName": "x-forwarded-for", "FallbackBehavior": "MATCH" } } } }