For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Icemanii_116694's avatar
Icemanii_116694
Icon for Nimbostratus rankNimbostratus
Jan 02, 2014

Block Opera Mini users using true client IP

I'm trying to restrict users from certain countries using Opera Mini browser from accessing my server. I'm using the following irule to replace the IP::client_addr field with the XFF IP:   when H...
application delivery
devops
iRules
microsoft
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Jan 02, 2014

Hi Icemanii, I think you could accomplish this by creating an LTM datagroup with the IPs you want to block (named "banned_addresses" in my example) and creating an iRule similar to this one to respond to blocked requests. You shouldn't need to use X-forwarded-for at all if this BIG-IP can see the true client IP address.

when HTTP_REQUEST { 
if { [string tolower [HTTP::header "User-Agent"]] contains "mini opera" } { 
    if { [class match [IP::client_addr] equals "banned_addresses"] } { 
        set response "Access Denied
        We are sorry, but access to the  is
        restricted to approved client IP addresses. Your IP address, 
        [IP::client_addr], is not approved."
        HTTP::respond 200 content $response
    } 
}

}

Icemanii_116694's avatar
Icemanii_116694
Icon for Nimbostratus rankNimbostratus
Jan 02, 2014
Hi, thanks for the response. The opera mini browser acts like a proxy replacing the true client IP with a US based IP. I have another rule which drops all request from US country using the geoip targeting restriction. As such, I need to check the client's true country of origin to allow or drop the request. if {([class match [whereis [IP::client_addr] country] equals BlockedCountry]) } { drop} So I need to check for mobile users using opera mini as a browser and determining their real client ip instead of the IP from the Opera Mini.