CirrusHow can we replace multiple IPs in an existing X-forwarded-for header received at the F5 client side with a single originating client IP before sending traffic to backend servers.
NacreousHi
If you want to completely replace the XFF header then this should do it
when HTTP_REQUEST {
if {[HTTP::header exists "X-Forwarded-For"]}{
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" "[IP::client_addr]"
}
}
CirrusHi Iaine
Thanks for your response.
Going by the security procedures here, I would not really want to remove the complete x-forwarded-for header and insert a new one even though thats a solution too. I was hoping F5 could only remove any other ips within the x-forwarded-for header(for the cases where the hops before F5 and after the origin client are already adding the x-forwarded-for header ) and replace it with only the origin client ip when it receives the request and send it to backend servers so they dont have to worry about which IP is the origin IP, the left most or the right most.
Let me know if this is not a good solution too, we may have to go back to the best or the simplest solution here if this is only complicating things.
CumulonimbusOn the subject of security, XFF can be forged easily, and therefore should not be relied upon for serious purposes. You should only trust the IP address of the peer of the connection.
I would create a custom HTTP profile for your virtual server, accept the default setting for "Accept XFF", which is unchecked, and enable "Insert X-Forwarded-For", which would place the IP address of the connection peer in the header.
Alternatively, you can accept incoming XFF, and let the backend application to log XFF, and do whatever they want to with the header data. Vendors of various Web servers mostly have instructions available on how to log XFF.
[Edited]
CirrusThank you
Just wondering, when F5 adds the peer IP address and its own outgoing interface in the header while we have the Insert X-forwarded-for header, the incomming peers IP would be the left most or the right most, this is a question the web server team wants to know before we move some of their applications to go through F5 from a legacy load balancer.
CumulonimbusPlease see K12264: Overview of the Trusted X-Forwarded-For header.
F5 does not add its own address (I have corrected my previous post).