Description
- I have a CDN (like Akamai or Cloudflare) in front of Silverline's proxy that has an L7 DDoS/Shape profile enabled
- The L7 DDoS/Shape profile identifies the Source IP coming from CDN IP and not the actual client IP address
- Typical traffic flow
-
Client -> CDN -> F5 Silverline -> Backend Application
-
Environment
- CDN
- XFF
- True-Client-IP
- Other Alternative Source IP header
- Silverline Proxy
- Shape Defense
- L7 DDoS
Cause
- The "Insert X-Forwarded-For Header" option under the proxy configuration is likely enabled
- This option would insert the XFF header with the incoming source IP.
Resolution
- Ensure that the correct HTTP header is configured in "Alternative Trusted Source Header"
- Ensure that the "Insert X-Forwarded-For Header" option is disabled
- Note : If the CDN is using a custom X-Forwarded for header such as True-Client-IP, add the header name in the Alternative Trusted Source Header field.