Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Forwarded HTTP Extension Insertion (RFC 7239)

Problem this snippet solves:

Until June 2014, there was no standard HTTP headers to share with web server behind reverse proxy client side request properties like:

  • Client IP Address
  • requested Host header
  • requested protocol (HTTP / HTTPS)
  • Reverse Proxy egress IP address

These informations were injected in following non standard headers

  • Client IP Address : X-Forwarded-For
  • requested Host header : X-Forwarded-Host
  • requested protocol (HTTP / HTTPS) : X-Forwarded-Proto
  • Reverse Proxy egress IP address : Via

The RFC 7239 (Forwarded HTTP Extension) provide a single header which contains all these informations : Forwarded

Here is an examples of Forwarded header :

   Forwarded: for="_gazonk"
   Forwarded: For="[2001:db8:cafe::17]:4711"
   Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
   Forwarded: for=192.0.2.43, for=198.51.100.17

This code insert the Forwarded header with expected values to HTTP request

  • insert for parameter with Client IP address (IPv6 format support with bracket)
  • include in For parameter the client request value of For parameter
  • include in For parameter the client request value of X-Forwarded-For header
  • insert by parameter with IP address (IPv6 format support with bracket)
  • insert proto parameter depending on clientssl profile enabled on VS
  • insert host parameter with HTTP client request Host header

version 1.1 : add route domain id support (remove route domain ID from IP addresses before insert it)

How to use this snippet:

Enable this irule on virtual server an set following variables to 0 or 1 to disable / enable parameter in header:

# Insert "For" parameter
set INSERT_FORWARDED_FOR 1
# Include in "For" parameter values from request Forwarded header
set KEEP_FORWARDED_FOR 1
# Include in "For" parameter values from request X-Forwarded-For header
set CONVERT_XFF_TO_FORWARDED_FOR 1
# Insert "By" parameter
set INSERT_FORWARDED_BY 0
# Insert "Proto" parameter
set INSERT_FORWARDED_PROTO 1
# Insert "Host" parameter
set INSERT_FORWARDED_HOST 0
Tested on Version:
13.0
Comments on this Snippet
Comment made 18-Apr-2018 by René Geile 154

Hi,

thanks for this irule. A few notes:

  • If other irules are attached to the same virtual server I suggest to attach a priority to the HTTP_REQUEST event to ensure it runs before any irule changes headers.

    priority 100
    when HTTP_REQUEST{
    
  • If you would like to add TCP ports of the client side connection to the header change the following:

    • line 33:

      lappend FFOR_HEADER_LIST "for=$CLIENT_ADDR:[TCP::remote_port]"
      
    • line 78:

      set FBY_HEADER "by=$BY_ADDR:[TCP::local_port]"
      

Regards, René

0
Comment made 19-Apr-2018 by Stanislas Piron 9618

Hi René,

Thank you for the update. I will update this code with your suggestion, but including new variables :

# Include source port in "For" parameter (If "For" parameter is inserted)
set INSERT_FORWARDED_FOR_PORT 1
# Include source port in "By" parameter (If "By" parameter is inserted)
set INSERT_FORWARDED_BY_PORT 0

then replacing line 33 with :

lappend FFOR_HEADER_LIST "for=$CLIENT_ADDR[ expr {$INSERT_FORWARDED_FOR_PORT ? ":[TCP::remote_port]" : ""}]"

and line 78 with :

set FBY_HEADER "by=$BY_ADDR[ expr {$INSERT_FORWARDED_BY_PORT ? ":[TCP::local_port]" : ""}]"

And I will also add priority option.

0
Comment made 3 weeks ago by MR_RJ 102

Latest update, today, from F5 regarding native support; "Consulting PD, there is an RFE for this, but currently there is no target version to officially add native support for RFC7239 in HTTP profile."

Looks like F5 is spreading a bit thin due to so many products these days, the base-platform doesnt get the attention that their customers require. But yes, the iRule above is great to get this working. So thanks for making such a public and great effort on providing this.

0