when ASM_REQUEST_DONE {
set xff_is_sg ""
if { [whereis [IP::client_addr] country] ne "SG" } {
if { [HTTP::header exists "X-Forwarded-For"] } {
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
Check if the current XFF IP is in SG:
if { [whereis $xff country] eq "SG" } {
log local0. "$xff is from SG."
set xff_is_sg 1
break
}
}
if { $xff_is_sg ne "" } {
ASM::unblock
return
}
}
}
}
However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.