Forum Discussion

Altostratus

Aug 06, 2019

Solved

Help with X-Forwarded-For iRule

We have many (over 500) Public VIP that we need to insert the client IP in the header for security reasons. When i enabled X-Forwarded-For in the HTTP profile the developer informed me they are recei...

Aug 06, 2019

I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.

when HTTP_REQUEST_RELEASE {
    log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
    HTTP::header remove "X-Forwarded-For"
    HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
    log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}

Cumulonimbus

Aug 06, 2019

I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.

when HTTP_REQUEST_RELEASE {
    log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
    HTTP::header remove "X-Forwarded-For"
    HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
    log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}

Jose_Cruz
Altostratus
Aug 06, 2019
i still see the %1000 after the IP and now i also see the self ip after the client IP

Orig XFF: X.X.X.X (IP removed for security reasons)
New XFF: X.X.X.X%1000,XX.XXX.XXX.X (IP removed for security reasons)
- JG
  Cumulonimbus
  Aug 06, 2019
  Are you saying that "New XFF" _added_ "%1000"?
- Jose_Cruz
  Altostratus
  Aug 06, 2019
  Yeah the iRule example you provided above adds the route domain to the new XFF value (same as my iRule did) but it also inserts the self ip. But i found an iRule that fixed the issue. Now i just need to make sure even if someone tries to spoof the IP i log the correct ip.
  
  Modifying the HTTP X-Forwarded-For header to remove the route domain suffix
- JG
  Cumulonimbus
  Aug 06, 2019
  Ah I see, mine had the quotes, which I shall remove.

Forum Discussion

Help with X-Forwarded-For iRule

Recent Discussions

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

BWC iRule

Can iRule be used to perform exception of IPI category based on Geolocation

help irules for compatibilty

Wildcard SSL Certificate Deployment on F5 LTM

Related Content

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

TCP Option 28 X-Forwarded-For Header

X-Forwarded-For on L4 VS

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

X-Forwarded-For Log Filter for Windows Servers