For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mtobkes_64700's avatar
mtobkes_64700
Icon for Nimbostratus rankNimbostratus
Mar 11, 2010

Can iRule Reject Requests Based on 'True-Client-IP'

Can someone please tell me if the LTM v9.4.7 can take action on requests, based on the HTTP header value for 'True-Client-IP'?     We will be 'Akamaizing' parts of our website and will no l...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 11, 2010
You might also check to see if Akamai strips out any previously existing True-Client-IP headers before inserting it's own. You could test this to see. If they don't then you could check to see whether Akamai's header is always inserted last. In that case, you should be fine using hte iRule as HTTP::header retrieves the value for the last named header.

I don't think Akamai would append the client IP they get to an existing True-Client-IP header, so you could probably skip the split/loop on the True-Client-IP header value. If you did want to keep the split/loop, you could eliminate some intermediate variables: 

  
  when HTTP_REQUEST {  
     if { [HTTP::header "True-Client-IP"] ne ""} {  
    
         header may be in format of addr1,addr2,addr3  
        foreach addr [split [HTTP::header "True-Client-IP"] ","] {  
           if { [matchclass banned_addr_list equals $addr] } {  
              HTTP::respond 403  
           }  
        }  
     }  
  }

Aaron