Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jul 01, 2020

Alternative to getfield to check XFF client IP using data group

Hi All, We ran into a bug when upgrading to 13.1.3.3 that process an iRule to check the client IP address in an XFF header against what is defined in a data group "DG-ALLOWED-IP". Is there an...
application delivery
BIG-IP
iRules
ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jul 02, 2020

Hello Kevin,

 

I just tested this and it does not seem to be working. It doesn't look like the client IP in the XFF header is being matched. This was working without issues when we were on code 12.1.3, but after the upgrade to 13.1.3, it stopped working and causes the website to fail.

 

Conditions:

 

  1. The iRule should check the XFF header, and if the IP is other then what is in the data group (DG-ALLOWED-IP) when users are trying to go to the URIs listed in the other data group (DG-ALLOWED-URI-LIST), then it should be dropped.

 

2. If they try to go to the other URI listed under the "switch", and their source XFF client IP matches what is in the "DG-ALLOWED-IP) data group, they should be allowed in.

 

3. If they go to "/public/idtracker" and their IP matches the "DG-ALLOWED-IP" list, they should get redirected to "/secure/idtracker"

 

 

We use a CDN that adds the original client IP to the XFF header..that is what we should be matching against.

 

Data Group= DG-ALLOWED-IP

Data group IP: 1.1.1.1 and 2.2.2.2

 

Data Group=DG-ALLOWED-URI-LIST

/auth1

/auth2

/auth3

 

*** Below is your recommendation that I tried use in our iRule. I had to make some changes to our actual script for confidentiality of course...but you can see what we are trying to do here...It does not seem to be working. We have to temporarily remove this Irule to get the website to even load.

 

when HTTP_REQUEST {
if { [active_members POOL-WEBSERVERS] < 1 } {
HTTP::redirect " http://maintenance.mysite.com" 
    } else { 
 
foreach CHECK_IP [split [HTTP::header values X-Forwarded-For] ","] {
    if { !([class match [string trim $CHECK_IP] eq DG-ALLOWED-IP]) } {
      if { [class match [HTTP::uri] eq DG-ALLOWED-URI-LIST] } {
            reject 
             }
            }
          break
          }
          switch -glob [HTTP::uri] {
         "*/abc/portal1/idtrack*" -
         "*/cde/portal2/idtrack2*" -
         "*/fgh/abc/portal3/idtrack*" {
          if { ([class match $CHECK_IP eq DG-ALLOWED-IP]) } {
			if { [HTTP::uri] contains "/public/idtracker" } {
				HTTP::redirect "https://[HTTP::host]/secure/idtracker"
			} else {
          HTTP::redirect "https://[HTTP::host]/login2/public/idtracker/" 
   	   }
	 }
       }
    }
  }
}