Posted On: Jul 9, 2020

AWS WAF now supports inspecting the X-Forwarded-For (XFF), True-Client-IP, or other custom header that includes the originating IP address of a client connecting to your application through an HTTP proxy or a third-party CDN. With this feature, you can reference these headers to write rate-based rules, geographic match rules, or IP match rules, allowing you to take action on IPs that are found within these headers. Both IPv4 and IPv6 addresses are supported. 

When using the XFF header in an IP match rule, you can block requests to your application based either on the client’s original IP or on a proxy’s IP by specifying the position of the IP address. For example, to block based on client’s original IP, you can set the position to first IP found within the header value to block on client’s original IP, or set to last or any IP found to block on proxy’s IP. When using the XFF header on rate-based rules for rate limiting, or on geographic match rules for geofencing based on country, AWS WAF will inspect the first IP (originating client IP) found within the header value. 

You can get started by creating a new IP match rule, rate-based rule, or geographic match rule and simply enabling the XFF header option. There is no additional cost for this feature (standard AWS WAF charges will apply). To learn more, please see the AWS WAF developer guide here for additional detail.