For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ganesh_Garg's avatar
Ganesh_Garg
Icon for Nimbostratus rankNimbostratus
Dec 08, 2016

Actual Client IP and Proxy IP in X-Forwarded-For

We have a setup where clients are behind proxy and proxy is the src-ip for LTM, we have enabled X-Forwarded-For and we are getting Proxy-IP in the header, but now the requirement is to have actual cl...
application delivery
devops
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Dec 08, 2016

Hi Ganesh,

to consolidate multiple occourences of 

X-Forwarded-For
headers, you may try the iRule below...

when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:

Incomming HTTP request headers
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

Outgoing HTTP request headers

GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

Note: Make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile. The insert will be already handled by this iRule...

Cheers, Kai