Forum Discussion
Add a custom "X-forwarded-for" header name
Hello Everyone,
Need an assistant to add custom http header name and value to insert XFF headers. The default name "X-forwarded-for" cannot understand by the client side. Example need to add name "HTTP_XFF" instead of default one which known by end node.
Not sure whether this achived either irule or http profile. The irule used below wont help and client cannot see the custom header name.
when HTTP_Request
{
HTTP::header remove X-forwarded-for
HTTP::header insert HTTP_XFF [IP::client_addr]
log local0."[IP::local_addr] XFF to: [IP::client_addr]"
}
---------
Any suggestions would be appreciated. Thanks.
Nandhi You should be able to do this with an HTTP profile with XFF enabled and it should let you name it what you wish rather than using an iRule.
- JRahmAdmin
Hi Nandhi, I am not able to get the profile suggestions by Paulius or zamroni777 working in my local lab (happy to be told what I'm doing wrong!) but I am able to a) remove any existing X-Forwarded-For that arrives and b) insert new based on the requests client IP address both via iRule and local traffic policy. I find the traffic policy overly complicated as it requires Tcl anyway, so personally I'd use the iRule, but both solutions work.
iRule
when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { HTTP::header remove "X-Forwarded-For" } HTTP::header insert "X-Custom-XFF" [IP::client_addr] }
Policy
ltm policy insert_custom_xff { last-modified 2024-01-10:15:50:09 requires { http } rules { custom_xff { actions { 0 { http-header insert name X-Custom-XFF value tcl:[IP::client_addr] } } ordinal 1 } remove_std_xff { actions { 0 { http-header remove name X-Forwarded-For } } } } status published strategy all-match }
- zamroni777Nacreous
it's better to use gui based local traffic policy rather than irules to avoid scripting typo
- JRahmAdmin
For breadth of the iRules vs Local Traffic Policy conversation...I tend to disagree with the generic advice of policy > iRules. I know policies are more performant (but marginal, YMMV), and if you can use policies over iRules that's fine, but my personal rule of thumb (not F5 official best practices or recommendations) on policies is to use them ONLY IF:
1. I don't need any Tcl in them
2. I don't have any iRules touching the same virtual servers
3. My use for iRules is very limited globally
4. I'm very good at documenting the lines of mgmt/control between the logic in native objects vs iRules
5. I own the iRules AND the policies
- NandhiCirrus
Thanks Paulius & Zamroni.
The actual need is bit different. The end point expecting the header name "HTTP_XFF" with original client IP. By default, header name uses the string X-forwarded-for:<client-ip>
The end point does not support "X-forwarded-for" and supported configuration is ,<add key="LoadBalancerClientAddressHeader" Value="HTTP_XFF"/>
Nandhi I'm not sure I am understanding your request. If you are looking to use an different X-Forwarded-For name you can use the field in "XFF Alternative Names" in the HTTP profile rather than using an iRule.
- zamroni777Nacreous
when the http request comes to f5 vs, does it already have xff header?
if no, then you simply can set the custom header name in http profile as Paulius mentioned above.
example in picture 1but if yes, then you can use gui based traffic policy to copy and create new xff header.
example in picture 2
In your first post you wrote client side, but your iRule manipulates the header that will be sent to the server side.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com