Forum Discussion

Cirrostratus

Jul 01, 2020

Alternative to getfield to check XFF client IP using data group

Hi All, We ran into a bug when upgrading to 13.1.3.3 that process an iRule to check the client IP address in an XFF header against what is defined in a data group "DG-ALLOWED-IP". Is there an...

MVP

Jul 01, 2020

This should do the trick, it has the added bonus of allowing for an empty header. Remove the break to process all the IP addresses on the X-Forwarded-For line instead of only the first. Note: If there are multiple of the same header or multiple addresses on the header the HTTP::header values command returns them all as a comma separated list.

when HTTP_REQUEST {
  foreach CHECK_IP [split [HTTP::header values X-Forwarded-For] ","] {
    if { !([class match [string trim $CHECK_IP] eq DG-ALLOWED-IP]) } {
      if { [class match [HTTP::uri] eq DG-ALLOWED-URI-LIST] } {
       reject 
      }
    }
    break
  }
}

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Alternative to getfield to check XFF client IP using data group

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

set TOKEN [getfield [HTTP::uri]

HTTP throttle alternative

Wordle alternatives?

Enhance your Application Security using Client-side signals – Part 2

Upgrade APM edge client

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS