TL;DR
Running an ASV scan when your website is behind a reverse proxy requires configuring the scanner to respect the X-Forwarded-* headers. This guide explains how to do this, covering common proxies like Nginx and Apache.
Steps
- Understand X-Forwarded Headers
Reverse proxies add headers to requests indicating the original client’s IP address and protocol. Common headers include:
X-Forwarded-For: Contains a comma-separated list of client IPs, including the original client.X-Forwarded-Proto: Indicates whether the connection between the client and proxy was HTTP or HTTPS.X-Forwarded-Host: The original host requested by the client.
The ASV scanner needs to read these headers to accurately identify your website’s public IP address, port, and protocol.
Most ASV scanners have options to respect X-Forwarded-* headers. The exact configuration varies depending on the scanner:
- Qualys SSL Labs: Qualys automatically detects and uses these headers. No specific configuration is usually needed.
- Rapid7 InsightVM/Nexpose: In the scan policy settings, look for options related to proxy detection or
X-Forwarded-*header handling. Enable ‘Respect X-Forwarded Headers’. - OpenVAS/Greenbone Vulnerability Manager: Configure the scanner target with the correct IP address and port that the reverse proxy exposes. OpenVAS typically relies on the network configuration to determine the public IP, so ensure your server’s network settings are accurate.
If your scanner doesn’t have a specific option, you may need to use command-line arguments or API settings.
After configuring the scanner, run a test scan and verify that it correctly identifies your website’s public IP address, port, and protocol. Check the scan results for any discrepancies.
Ensure your reverse proxy is properly forwarding headers:
proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;These lines in your Nginx configuration will ensure the correct headers are passed to the backend server.
Enable and configure the mod_proxy_http module. Add these directives to your virtual host configuration:
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}RequestHeader set X-Forwarded-For %{REMOTE_ADDR}These directives will forward the necessary headers to your backend server.
Ensure your firewall allows traffic from the ASV scanner’s IP ranges. Blocking the scanner’s access will prevent it from performing a scan, even with correct header configuration.