How do I open my firewall to Section? Follow
Occasionally there is a question from customers on how do I whitelist the Section IP addresses? or there is a question about why are requests through Section being blocked?
The first thing to understand is that the Section platform dynamically moves workloads among various infrastructure providers as required. This means that the IP addresses are regularly changing. Because of this, whitelisting Section IP addresses is not a viable long-term solution (unless using option 3 below, Fixed Egress) if the Origin webserver firewall, WAF, or a module is blocking Section IP addresses.
There are three possible solutions to this problem:
1. Configure the Origin webserver firewall, WAF, or module to use the True-Client-IP or X-Forwarded-For request header. The Section platform by default generates the True-Client-IP and X-Forwarded-For request headers which store the actual connecting IP. If the Origin webserver firewall, WAF, or module is not using the True-Client-IP or X-Forwarded-For and is instead using a different header for the connecting IP, then this will contain a Section PoP IP address which can lead to the accidental blocking of parts of Section's platform as numerous requests appear to originate from that IP address. Further details can be found here.
2. Configure Varnish Cache or OpenResty to pass a secret request header that can be checked at the Origin webserver firewall, WAF, or module to verify that the request header exists and contains the expected value:
Example VCL (Varnish Cache):
sub vcl_recv {
# Set the header at the very top of sub vcl_recv before any return(pass) calls
set req.http.section-shared-secret = "RTio4vNHfxiWabqKxj8PZ99k";
}
# Check for this header and its value on the Origin server, WAF, or module
3. Section can configure the environment on our platform to use Well-known IP configuration which means the requests will come through a fixed number of IP addresses that can be whitelisted by the Origin webserver firewall, WAF, or module. Note: this configuration will incur additional costs. If you would like to learn more, out to Section (support@section.io) for a quote.
Comments
0 comments
Article is closed for comments.