CirrusExtract 2nd to last IP from X-FORWARDED-FOR header
All,
We are implementing a WAF infront of our F5 LTMs which will act as a proxy, and insert the client IP in to the X-FORWARDED-FOR header. We currently have a number of irules that use the client ip to block or route the traffic. As the X-FORWARDED-FOR header could be set prior to reaching the WAF the client IP (as the WAF sees it) may not be the first IP in the header but would always be the second to last IP.
Can anyone suggest how I can in an irule extract the 2nd to last IP from the X-FORWARDED-FOR header so I could then update the irules?
Just as a final in case anyone stubles over my query I did find an issue when trying to match the variable to a datagroup that there is a leading space preventing matching (attempts to set the split to work on ", " didnt seem to work), so I had to add a line to remove this with a string map. Example irule logging the whole X-FWD-FOR header, client IP as seen my the F5 and the "real client IP" as seen by the WAF
when HTTP_REQUEST {
set RealClientIP [lindex [split [HTTP::header X-Forwarded-For] ","] end-1]
set RealClientIP [string map {" " ""} $RealClientIP]
log local0. " X-Forwarded-For: [HTTP::header X-Forwarded-For] Client IP [IP::client_addr] Real Client IP: $RealClientIP "
}
