Oddities in XForwardedFor?

Question

I'm using Tomcat as a webserver and I've got access logs recording the XForwardedFor header into the log.&nbsp;
&nbsp;The oddity I'm seeing is this:
&nbsp;10.20.108.103,unknown&nbsp;
&nbsp;My internal network is 10/16 but *not* 10.20!.&nbsp;
&nbsp;Why is the LTM not recording the real IP address of the other side which is what I really need in the access log?&nbsp;
&nbsp;For most entries, everything works grand but it's these anomalies that are driving me nuts.&nbsp;
&nbsp;The other puzzler is why the LTM even acknowledges the packet.&nbsp;
&nbsp;10. is not publicly routable and this is coming in off a publicly routed interface. I would presume (perhaps wrongly) the LTM would filter out "funny" traffic.&nbsp;
&nbsp;thank!

nicolas_menant · Answer

Hi, 
Have you tried to create an iRule to check this ? 
for example:
when HTTP_REQUEST_SEND {
log local0. "request from [IP::client_addr] with X-FORWARDED-FOR value: [HTTP::header "X-Forwarded-For]"
}
Then you check your log in /var/log/ltm for the logging result. It should help you !
Ensure to write properly the name of the HTTP header X-Forwarded-For
HTH

gregory_gerard_ · Answer

I will add this to my rules but I'm not sure when it will happen again.&nbsp;
&nbsp;Thanks for the suggestion on the diagnostic, though.&nbsp;
&nbsp;I just don't see how this is happening though. The LTM is directly attached to the ethernet and IP space from the colo -- nothing to get in the way!

hooleylist · Answer

It's possible that a client or previous network device is inserting an XFF header.  It's also possible that the BIG-IP is inserting an invalid value (bug?).  nmenant's example should help you determine what's happening.  If you get a runtime error from the example when trying to use the HTTP::header command in the HTTP_REQUEST_SEND event, you could try forcing the HTTP::header command into the clientside context using 'clientside {HTTP::header "X-Forwarded-For"}'.
If you are using the client IP address for anything more important than reporting, it would be good to use an iRule to remove any existing instances of the header you're going to insert before you actually insert the new header.  Here's an example:
when HTTP_REQUEST {
    Remove all instances of the custom header
   while {[HTTP::header exists X-Forwarded-For]}{
      HTTP::header remove X-Forwarded-For
   }
    Insert a new XFF header with the client IP address as a value
   HTTP::header insert X-Forwarded-For value [IP::client_addr]
}
Aaron

gregory_gerard_ · Answer

Thanks, Hoolio! That's neat.&nbsp;
&nbsp;Now, the question is, how is this different from checking the checkbox in the profile (Insert XForwarded For ...)?

hooleylist · Answer

The HTTP profile option would just add a new XFF header with the client IP address.  It wouldn't touch any existing XFF headers.  &nbsp;
&nbsp;The XFF header LTM inserts would be the last XFF header in the request and in theory this is the one the server should parse for its logging.&nbsp;
&nbsp;The iRule ensures that no prior XFF headers are included in the request sent to the server.&nbsp;
&nbsp;Aaron

Forum Discussion

Oddities in XForwardedFor?

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

upgrade oddity / anomoly?

XforwardedFor not working properly for IBM HTTP Server/Apache

Re: Logging of DNS Requests and Responses without a DNS license

need some help with a AS3 declaration

Re: Example OWASP Top 10-compliant declarative WAF policy