Azure Frontdoor is Overwriting XFF header

SSeeker
September 25, 2024
139 views
0 votes
2 Answers

I am trying to set up an Azure Front Door before requests reach my api.

The flow I have imagined mydomain.com -> AFD -> fdsub.mydomain.com

If i call fdsub.mydomain.com directly, the XFF looks fine. However, when i go through AFD custom domain, the XFF header is overwritten (i see 2 MS data center ips) and the XFF header that was before the AFD is moved to X-Original-Forwarded-For.

In addition to this, when going through the front door, the x-azure-clientip seems to be set correctly as opposed to the XFF header.

According to the Microsoft documentation, AFD should only append to my XFF and not tinker by removing the original XFF header.

Any help would be deeply appreciated.

Answers

Chosen as BEST ANSWER
- SSeeker
- September 25, 2024 at 1:26 pm
- 0 votes
0
I managed to figure out the issue.

The problem was before the AFD. My Nginx controller and ingress did not have the correct configuration set. Meaning my headers were not being forwarded at all from mydomain.com to AFD.

I have added: use-forwarded-headers: 'true' to my nginx controller configmap and that seems to have resolved the problem.

Thanks to this previous post, i managed to get back on track.

Sorce IP with Azure Front Door and Ingress-nginx

(Edit)

- Arko
- September 25, 2024 at 1:26 pm
- 0 votes
0
According to the MS documentation, Azure Front Door should only append to the XFF header and not remove the original XFF header as per this doc

It’s possible that the XFF header is being overwritten due to a misconfiguration (2 MS data center ips). You may want to review your Azure Front Door configuration and ensure that it’s set up correctly.

to set up Azure Front Door, configure it for your API, and ensure that the X-Forwarded-For header is properly appended rather than overwritten

You can create a backend API App service
```
az appservice plan create --name apiAppServicePlan --resource-group arkorg --sku B1 --is-linux
"
```
You now have an API service running on https://fdsub.azurewebsites.net.

You can then set up a storage account for storing the diagnostic logs

create an Azure Front Door instance that routes traffic to your backend API and configures custom rules for XFF headers.

Now that you’ve created the App Service, Azure Front Door, and a storage account for logs, enable Diagnostic Logs for Azure Front Door
```
az monitor diagnostic-settings create 
  --name afdDiagnostic 
  --resource "/subscriptions/abcd-efg-hijk-lmnop-qrstuvwxyz/resourceGroups/arkorg/providers/Microsoft.Network/frontDoors/arkoFrontDoor" 
  --logs '[{"category": "FrontdoorAccessLog", "enabled": true}]' 
  --metrics '[{"category": "AllMetrics", "enabled": true}]' 
  --storage-account "/subscriptions/abcd-efg-hijk-lmnop-qrstuvwxyz/resourceGroups/arkorg/providers/Microsoft.Storage/storageAccounts/arkoafdlogs"
```
This will now capture access logs and metrics for Azure Front Door and stores the logs in the storage account (arkoafdlogs).

Now configure the rules engine to handle X-Forwarded-For Header

FYI, all these header modifications are only possible with Standard or Premium SKU

References:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.