X-Forwarded-For

Hi Steve,

What version are you running? There is an issue in versions prior to 9.4.x where you can't get the value for anything but the first header when the request or response has multiple headers with the same name.

http://devcentral.f5.com/wiki/default.aspx/iRules/http__header (Click here)

HTTP::header values

* Returns value(s) of the HTTP header named . Note that the command will return the values all of the headers if there are multiple headers with the same name. If there is a single value for the HTTP header, that value will be returned.

* (This subcommand was added in v9.4.0)

HTTP::header names

* Returns a list of all the headers present in the request or response.

* In v9.4.0 and higher, multiple headers with the same name will be listed multiple times.

So if you're running 9.4.0 or higher, you could use:

when HTTP_REQUEST {
   log local0. "X-Forwarded-For: [HTTP::header values {X-Forwarded-For}]"
}

Another thing to try would be to verify that the XFF header with the original client IP is actually in the request coming from the proxy server. You could run a tcpdump to check this:

tcpdump -ni 0.0 -Xs0 host PROXY_SERVER_IP

Aaron

 

 

Hello,

 

 

I'm running version 9.4.2. And tcpdump on the F5 shows a Via & X-Forward-For in the http request from the proxy server. But when I do the loop around the headers I don't see either of them.

 

 

I tried disabling the insert X-forward-For bit in the http profile incase that was overwritting the original value but when I did that It just didn't show the variable at all.

 

 

Thanks

That's interesting... Can you post a snippet of the tcpdump which shows the format of the X-Forwarded-For header(s) to see if there is anything odd there?

 

 

Thanks,

 

Aaron

Hello,

 

 

Sorry I've been away but here you go:

 

 

GET /oxigames/home/index.jsp HTTP/1.0

 

 

Host: virtuefusion.ladbrokes.com

 

 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

 

 

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

 

 

Accept-Language: en-gb,en;q=0.5

 

 

Accept-Encoding: gzip,deflate

 

 

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 

 

Keep-Alive: 300

 

 

Cookie: FLAGS=en|en|uk|default|DECIMAL|0|GBP

 

 

Via: 1.1 vps.netassassins.com:8080 (squid/2.5.STABLE3)

 

 

X-Forwarded-For: 87.86.219.40

 

 

Cache-Control: max-age=259200

 

 

Connection: keep-alive

 

 

 

Thanks.

Can you replace 'HTTP::header $header_name' with 'HTTP::header values $header_name' and retest?

Using this version of the rule with HTTP::header values on 9.4.0, I see a list of the X-Forwarded-For values:

when HTTP_REQUEST {
   set headers [HTTP::header names]
   log local0. "\$headers: $headers"
   foreach header_name $headers {
      log local0. "HTTP_header_DUMP [IP::client_addr] [IP::remote_addr] $header_name: [HTTP::header values $header_name] ([string length [HTTP::header $header_name]]) "
   }
}

Request:

GET /oxigames/home/index.jsp HTTP/1.0

Host: virtuefusion.ladbrokes.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-gb,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Cookie: FLAGS=en|en|uk|default|DECIMAL|0|GBP

Via: 1.1 vps.netassassins.com:8080 (squid/2.5.STABLE3)

X-Forwarded-For: 87.86.219.40

Cache-Control: max-age=259200

Connection: keep-alive

Log output:

HTTP_header_DUMP 192.168.101.248 192.168.101.248 X-Forwarded-For: 87.86.219.40 192.168.99.210 192.168.101.248 (15)

This is with XFF insert enabled on the HTTP profile. So 87.86.219.40 is the fake XFF value I sent in my request. 192.168.99.210 is my original client IP. 192.168.101.248 is the proxy server that the request transits before the BIG-IP.

Aaron