Check to see if XFF is present, if so don't insert XFF

Question

External users hit a dns entry on a Netscaler in our dmz. That device inserts the XFF and then passes (pass through mode) the data to an F5 internal to our network. What we are looking to do is if the XFF header is present, don't over write it.&nbsp;
In the case of a connection from outside of the trusted network the XFF header is always the address of the Netscaler passing the connection to the internal F5.&nbsp;
In the case of interanal connections we are looking to have the XFF header inserted as the connection will hit the F5 vip.&nbsp;
So if the internal F5 sees the xFF header inserted by the Netscaler, pass that along as it is so the source of the netscaler doesn't replace the correct on. If there is no XFF the connection is assumed to be internal and the correct XFF header needs to be inserted.&nbsp;
 &nbsp;
Thanks&nbsp;
JohnKrum&nbsp;

t-roy · Answer

when HTTP_REQUEST { 
&nbsp;    insert XFF if it doesn't exist 
&nbsp;    if {not [HTTP::header exists "X-Forwarded-For"]} { 
&nbsp;              HTTP::header insert X-Forwarded-For [IP::client_addr] 
&nbsp;   } 
&nbsp; }

johnkrum_45755 · Answer

I was able to test  
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp; insert XFF if it doesn't exist  
&nbsp; if {not [HTTP::header exists "X-Forwarded-For"]} {  
&nbsp; HTTP::header insert X-Forwarded-For [IP::client_addr]  
&nbsp; }  
&nbsp; } 
&nbsp;  
&nbsp; today and if I look at the cookie I see both IP addresses inserted. 198.177.94.250 and 10.129.14.248 
&nbsp;  
&nbsp; auroraSSO=266391041180ICONNECTEMPHAGA                          BILLY               https://caregiverconnect.aurora.org198.177.94.250, 10.129.14.2481364235987888AdqO34nrlPBoHQNreOq+OepatfI= 
&nbsp;  
&nbsp; Any adjustments that I can make to have get this to work? 
&nbsp; To be more clear -  
&nbsp; 1) if the connection is internal to our network the request goes directly to the F5 vip and XFF is inserted 
&nbsp; 2) if the connection is external to our network the request hits a Netscaler which inserts the XFF and the connection is passed on to the F5 VIP 
&nbsp;     The iRule should see the XFF and not over write or insert a new one.  
&nbsp;  
&nbsp; Thanks &nbsp;

what_lies_bene1 · Answer

Sorry but can you clarify the issue please? You mention you are looking at a cookie, I'm not sure what this has to do with XFF HTTP Headers. How are you checking whether the header is inserted or not? Can you confirm the name and case of the header the Netscaler is inserting?

johnkrum_45755 · Answer

Steve, 
&nbsp; Your right, that is inserted in the get. I have a question asking how the developers are pulling that address to build the cookie I displayed above. I could get a packet capture if need be. I will keep you posted. 
&nbsp; Thanks,

Forum Discussion

Check to see if XFF is present, if so don't insert XFF

4 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

F5 SLEDFest 2022 Tallahassee Edition - Infrastructure Modernization presentation

F5 SLEDFest 2022 Tallahassee Edition - Enterprise Application Strategy presentation

F5 SLEDFest 2022 Tallahassee Edition - F5 Distributed Cloud Services Presentation

Check a Virtual Server's SSL Status

F5 SLEDFest 2022 Sacramento Edition - Securing and Hardening your BIG-IP presentation