Forum Discussion
david_20684
May 12, 2008Nimbostratus
Hi Aaron,
I had to make some changes to the script as it waould not compile, just minor adjustments addedd or removed brackets. Can you confirm that what i have done is correct please?
when HTTP_REQUEST {
Check if there are any XFF headers
if {[HTTP::header exists X-Forwarded-For]}{
Log a debug message for deleting the current XFF header
log local0. "Removing XFF: [HTTP::header value X-Forwarded-For]"
Remove the current XFF header
HTTP::header remove X-Forwarded-For
}
Now that no XFF headers exist, insert a new one
HTTP::header insert X-Forwarded-For value [IP::client_addr] ]
}
However, if the script is correct it still isn't working as I cannot get the IP restrictions to work. My configuration is as follows: I have a VIP defined with two Microsoft IIS 6 webservers being load balanced with SNAT in the DMZ, rather a simple configuration. I also have x-forwarded-for installed as an ISAPI on the web servers for client address logging and it is working. I have a workstation on the inside network (private address) connecting via HTTP to the VIP address without any issues but as soon as i try to restrict access to the web site by denying all except certain addresses (address of the workstation) I get the usual 403 error message in the browser of the workstation.
Thanks
David