Forum Discussion

Snl's avatar
Snl
Icon for Cirrostratus rankCirrostratus
Feb 25, 2018

Asm geo location irule

folks , need some help with asm geo location irule I want to allow Ip address which contain country SG in forwarder Header , since i have only restricted my ASM geo location policy to allow only ...
application delivery
ASM Advanced WAF
iRules
JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Feb 26, 2018
when ASM_REQUEST_DONE {
    set xff_is_sg ""
    if { [whereis [IP::client_addr] country] ne "SG" } {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
                log local0. "Current XFF element: $xff"
                 Check if the current XFF IP is in SG:
                if { [whereis $xff country] eq "SG" } {
                    log local0. "$xff is from SG."
                    set xff_is_sg 1
                    break
                }
            }
            if { $xff_is_sg ne "" } {
                ASM::unblock
                return
            }
        }
    }
}

However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.