Dashboard IP Restriction returns 403 when Ant Media Server is behind Azure Front Door #7681
Description
Short description
__A customer is running Ant Media Server behind Azure Front Door and attempting to restrict access to the Ant Media Dashboard (/admin, /admin/login) using the built-in IP filtering feature (server.allowed_dashboard_CIDR).
The behavior works as expected without Azure Front Door, but fails once Azure Front Door is placed in front of Ant Media Server.__
Environment
- Operating system and version:
- Java version:
- Ant Media Server version:
- Browser name and version:
Steps to reproduce
- Verify that the Ant Media Dashboard (/login) is accessible directly (without Azure Front Door).
- Configure server.allowed_dashboard_CIDR to a specific IP/CIDR (for example, a corporate VPN IP).
- Confirm that dashboard access works only from the allowed CIDR and is blocked from other IPs.
- Now, place Azure Front Door in front of the AMS and update DNS so traffic flows through Front Door.
- Access the Ant Media Dashboard via the Azure Front Door endpoint
- Attempt to access /admin/login again via Azure Front Door and Ant Media Server returns HTTP 403 Forbidden for the dashboard access.
Expected behavior
Ant Media should be able to correctly evaluate the original client IP when forwarded via Azure Front Door headers
Actual behavior
When Azure Front Door is disabled: Restricting server.allowed_dashboard_CIDR to the corporate CIDR works as expected.
When Azure Front Door is enabled: Leaving server.allowed_dashboard_CIDR at default allows dashboard access.
Restricting it to the corporate CIDR results in HTTP 403 Forbidden.
Adding the corporate CIDR alone does not allow access.
Logs
Place logs on pastebin or elsewhere and put links here
Ask your questions on Ant Media Github Discussions