remove a confirmed IP address from X-Forwarded-For using Irules

Question

How to remove a confirmed IP from X-Forwarded-For such as 1.1.1.1 or 2.2.2.2,thanks a lot! &nbsp;

jad_tabbara__j1 · Answer

Hi, 
You can use the "string map" command to remove a known IP from the XFF header. 
For example: 
when HTTP_REQUEST {

if { [HTTP::header value "X-Forwarded-For"] contains "1.1.1.1" } {

This will replace the 1.1.1.1 by ""
   set new_xff [string map {1.1.1.1 ""} [HTTP::header value "X-Forwarded-For"] ]

You can add logs to /var/log/ltm to verify if it works correctly
   log local0. "Old XFF: [HTTP::header value "X-Forwarded-For"]"

Then you can modify the value and log again to verify the new value
   HTTP::header replace "X-Forwarded-For" $new_xff
   log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"

}

Hope it helps

Forum Discussion

remove a confirmed IP address from X-Forwarded-For using Irules

1 Reply

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Performance L4 VS - HTTPS [X-forwarded-for]

X-Forwarded-For Log Filter for Windows Servers

Difference between Insert X-Forwarded-For and Accept XFF?