Forum Discussion

Nandhi's avatar
Nandhi
Icon for Cirrus rankCirrus
Jan 10, 2024

Add a custom "X-forwarded-for" header name

Hello Everyone,

Need an assistant to add custom http header name and value to insert XFF headers. The default name "X-forwarded-for" cannot understand by the client side. Example need to add name "HTTP_XFF" instead of default one which known by end node.

Not sure whether this achived either irule or http profile. The irule used below wont help and client cannot see the custom header name.

when HTTP_Request

{

HTTP::header remove X-forwarded-for

HTTP::header insert HTTP_XFF [IP::client_addr]

log local0."[IP::local_addr] XFF to: [IP::client_addr]"

}

---------

 Any suggestions would be appreciated. Thanks.

 

  • Nandhi You should be able to do this with an HTTP profile with XFF enabled and it should let you name it what you wish rather than using an iRule.

  • Hi Nandhi, I am not able to get the profile suggestions by Paulius or zamroni777 working in my local lab (happy to be told what I'm doing wrong!) but I am able to a) remove any existing X-Forwarded-For that arrives and b) insert new based on the requests client IP address both via iRule and local traffic policy. I find the traffic policy overly complicated as it requires Tcl anyway, so personally I'd use the iRule, but both solutions work.

    iRule

     

    when HTTP_REQUEST {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            HTTP::header remove "X-Forwarded-For"
        }
        HTTP::header insert "X-Custom-XFF" [IP::client_addr]
    }

     

    Policy

     

    ltm policy insert_custom_xff {
        last-modified 2024-01-10:15:50:09
        requires { http }
        rules {
            custom_xff {
                actions {
                    0 {
                        http-header
                        insert
                        name X-Custom-XFF
                        value tcl:[IP::client_addr]
                    }
                }
                ordinal 1
            }
            remove_std_xff {
                actions {
                    0 {
                        http-header
                        remove
                        name X-Forwarded-For
                    }
                }
            }
        }
        status published
        strategy all-match
    }

     

     

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin

      For breadth of the iRules vs Local Traffic Policy conversation...I tend to disagree with the generic advice of policy > iRules. I know policies are more performant (but marginal, YMMV), and if you can use policies over iRules that's fine, but my personal rule of thumb (not F5 official best practices or recommendations) on policies is to use them ONLY IF:

      1. I don't need any Tcl in them
      2. I don't have any iRules touching the same virtual servers
      3. My use for iRules is very limited globally
      4. I'm very good at documenting the lines of mgmt/control between the logic in native objects vs iRules
      5. I own the iRules AND the policies

  • Thanks Paulius & Zamroni.

    The actual need is bit different. The end point expecting the header name "HTTP_XFF" with original client IP. By default, header name uses the string X-forwarded-for:<client-ip>

    The end point does not support "X-forwarded-for" and supported configuration is ,<add key="LoadBalancerClientAddressHeader" Value="HTTP_XFF"/>

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      Nandhi I'm not sure I am understanding your request. If you are looking to use an different X-Forwarded-For name you can use the field in "XFF Alternative Names" in the HTTP profile rather than using an iRule.

    • zamroni777's avatar
      zamroni777
      Icon for Nacreous rankNacreous

      when the http request comes to f5 vs, does it already have xff header?

      if no, then you simply can set the custom header name in http profile as Paulius mentioned above.
      example in picture 1

      but if yes, then you can use gui based traffic policy to copy and create new xff header.
      example in picture 2

       

  • In your first post you wrote client side, but your iRule manipulates the header that will be sent to the server side.