Forum Discussion
Nandhi
Cirrus
CirrusAdd a custom "X-forwarded-for" header name
Hello Everyone,
Need an assistant to add custom http header name and value to insert XFF headers. The default name "X-forwarded-for" cannot understand by the client side. Example need to add name "HTTP_XFF" instead of default one which known by end node.
Not sure whether this achived either irule or http profile. The irule used below wont help and client cannot see the custom header name.
when HTTP_Request
{
HTTP::header remove X-forwarded-for
HTTP::header insert HTTP_XFF [IP::client_addr]
log local0."[IP::local_addr] XFF to: [IP::client_addr]"
}
---------
Any suggestions would be appreciated. Thanks.
- JRahm
Admin
Hi Nandhi, I am not able to get the profile suggestions by Paulius or zamroni777 working in my local lab (happy to be told what I'm doing wrong!) but I am able to a) remove any existing X-Forwarded-For that arrives and b) insert new based on the requests client IP address both via iRule and local traffic policy. I find the traffic policy overly complicated as it requires Tcl anyway, so personally I'd use the iRule, but both solutions work.
iRule
when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { HTTP::header remove "X-Forwarded-For" } HTTP::header insert "X-Custom-XFF" [IP::client_addr] }Policy
ltm policy insert_custom_xff { last-modified 2024-01-10:15:50:09 requires { http } rules { custom_xff { actions { 0 { http-header insert name X-Custom-XFF value tcl:[IP::client_addr] } } ordinal 1 } remove_std_xff { actions { 0 { http-header remove name X-Forwarded-For } } } } status published strategy all-match } - zamroni777
Nacreous
it's better to use gui based local traffic policy rather than irules to avoid scripting typo
- JRahm
For breadth of the iRules vs Local Traffic Policy conversation...I tend to disagree with the generic advice of policy > iRules. I know policies are more performant (but marginal, YMMV), and if you can use policies over iRules that's fine, but my personal rule of thumb (not F5 official best practices or recommendations) on policies is to use them ONLY IF:
1. I don't need any Tcl in them
2. I don't have any iRules touching the same virtual servers
3. My use for iRules is very limited globally
4. I'm very good at documenting the lines of mgmt/control between the logic in native objects vs iRules
5. I own the iRules AND the policies
NandhiThanks Paulius & Zamroni.
The actual need is bit different. The end point expecting the header name "HTTP_XFF" with original client IP. By default, header name uses the string X-forwarded-for:<client-ip>
The end point does not support "X-forwarded-for" and supported configuration is ,<add key="LoadBalancerClientAddressHeader" Value="HTTP_XFF"/>
- zamroni777
when the http request comes to f5 vs, does it already have xff header?
if no, then you simply can set the custom header name in http profile as Paulius mentioned above.
example in picture 1but if yes, then you can use gui based traffic policy to copy and create new xff header.
example in picture 2
Juergen_MangMVP
In your first post you wrote client side, but your iRule manipulates the header that will be sent to the server side.
