Antonio_Varni
Jan 21, 2008Nimbostratus
replace all instances of a HTTP header
How can I replace all instances of a given header?
Specifically in my case I am trying to remove all previously set X-Forwarded-For headers before having the LTM inject it's own. The X-Forwarded-For HTTP profile does not do this - it just appends it's own.
An iRule approach I tried was this:
when HTTP_REQUEST {
HTTP::header replace X-Forwarded-For [IP::remote_addr]
This works if there is only 1 previously set X-Forwarded-For header - it replaces it with it's own.
You see - our application server only uses the first encountered X-Forwarded-For header and ignores the rest.
I can also write an iRule that deletes X previous copies of X-Forwarded-For before injecting it's own. But - an attacker only needs to specify X+1 headers to effectively spoof/mask their source IP address from our application's perspective.
A recursive iRule maybe? Or am I missing something basic?
I may need to find an application fix for this as I can at this point guarantee that the _last_ set X-Forwarded-For header is legit.
running 9.2.3
TIA