For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ganesh_Garg's avatar
Ganesh_Garg
Icon for Nimbostratus rankNimbostratus
Dec 08, 2016

Actual Client IP and Proxy IP in X-Forwarded-For

We have a setup where clients are behind proxy and proxy is the src-ip for LTM, we have enabled X-Forwarded-For and we are getting Proxy-IP in the header, but now the requirement is to have actual client IP as well in the header(Client-IP,Proxy1-IP).

 

I have enabled the X-forwarded-for on the proxy, but still it seems that the LB is replacing the header with the latest one(proxy-ip)

 

Please suggest how to get both IP's in the header.

 

application delivery
devops
iRules
LTM

3 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 08, 2016

    Hi Ganesh,

    to consolidate multiple occourences of 

    X-Forwarded-For
    headers, you may try the iRule below...

    when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

    The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:

    Incomming HTTP request headers
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

    Outgoing HTTP request headers

    GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

    Note: Make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile. The insert will be already handled by this iRule...

    Cheers, Kai

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Dec 16, 2016

    Would the following fix this for you?

     

    In Configuration Utility go:

     

    • Local Traffic ›› Profiles : Services : HTTP ›› your_http_profile

       

    • and tick the box for "Accept XFF"

       

    • Fill the field of "XFF Alternative Names"

       

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 21, 2016

    Hi Ganesh,

    I've just checked the provided iRule and it works for me. Please use the iRule below to troubleshoot the issue and post back the resulting logs...

    when HTTP_REQUEST {

    log local0.debug "Orig XFF: [HTTP::header values "X-Forwarded-For"]"

    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }

    log local0.debug "New XFF: [HTTP::header values "X-Forwarded-For"]"

}

    Note: Also make sure, the 

    Insert X-Forwarded-For
    option of your attached HTTP profile is set to 
    disable
    .

    Cheers, Kai