Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jul 01, 2020

Alternative to getfield to check XFF client IP using data group

Hi All, We ran into a bug when upgrading to 13.1.3.3 that process an iRule to check the client IP address in an XFF header against what is defined in a data group "DG-ALLOWED-IP". Is there an...
application delivery
BIG-IP
iRules
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Jul 01, 2020

So 

[HTTP::header values X-Forwarded-For]

returns a list of values for X-Forwarded-For.

But X-Forwarded-For may have multiple forwarding IPs, and multiple headers, and look like:

X-Forwarded-For: 10.0.0.1, 192.168.10.10
X-Forwarded-For: 172.16.0.200

So what does the irule see

[HTTP::header values X-Forwarded-For]
{10.0.0.1, 192.168.10.10} 172.16.0.200

This is a TCL list of X-Forwarded-For headers, with the first entry being 

{10.0.0.1, 192.168.10.10}

You need to grab the first item in the TCL list using the following sequence

{10.0.0.1, 192.168.10.10} 172.16.0.200
[split $xff "\{\} ,"]
{} 10.0.0.1 {} 192.168.10.10 {} 172.16.0.200
[lsearch -all -inline -not -exact [split $xff "\{\} ,"] {}]
10.0.0.1 192.168.10.10 172.16.0.200
[lindex [lsearch -all -inline -not -exact [split $xff "\{\} ,"] {}] 0]
10.0.0.1

So your irule should be

when HTTP_REQUEST {
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
 if { !([class match $CHECK_IP eq DG-ALLOWED-IP]) } {
     if { [class match [HTTP::uri] eq DG-ALLOWED-URI-LIST] } {
          reject 
        }
     }
}