Home About News Products Blog

Origin web server firewall blocking section.io servers



If you are running a firewall on origin web servers, please make sure the rules are configured to not accidentally block section.io’s platform. A common scenario we’ve seen is the origin firewall blocking based on the connecting client’s IP address. This is not going to work with a CDN in front as the majority of the connections will have section.io’s IP address as we sit between browsers and the origin servers. Blocking these IPs will result in legitimate traffic being blocked.

section.io platform by default will generate a True-Client-IP HTTP request header. This request header is sent to the origin. A typical example of such a header will look like:


You will need to setup the firewall so it is going to block traffic based on this IP address, rather than the connecting IP. This way any malicious True-Client-IP addresses will be blocked by the origin firewall, which legitimate traffic through section.io will still be allowed.


We’ve had some questions from customer that wish to whitelist our servers. section.io runs over AWS and Azure infrastructure, so IP whitelisting is not advised as AWS and Azure have a lot of IP ranges. Customers in the past often use a shared secret key header that is send by section.io platform as part of all requests to the origin, and the origin can choose to block requests that do not have that header present.

Example VCL