Check to see if XFF is present, if so don't insert XFF

Question

External users hit a dns entry on a Netscaler in our dmz. That device inserts the XFF and then passes (pass through mode) the data to an F5 internal to our network. What we are looking to do is if the XFF header is present, don't over write it.&nbsp;
In the case of a connection from outside of the trusted network the XFF header is always the address of the Netscaler passing the connection to the internal F5.&nbsp;
In the case of interanal connections we are looking to have the XFF header inserted as the connection will hit the F5 vip.&nbsp;
So if the internal F5 sees the xFF header inserted by the Netscaler, pass that along as it is so the source of the netscaler doesn't replace the correct on. If there is no XFF the connection is assumed to be internal and the correct XFF header needs to be inserted.&nbsp;
 &nbsp;
Thanks&nbsp;
JohnKrum&nbsp;

t-roy · Answer

when HTTP_REQUEST { 
&nbsp;    insert XFF if it doesn't exist 
&nbsp;    if {not [HTTP::header exists "X-Forwarded-For"]} { 
&nbsp;              HTTP::header insert X-Forwarded-For [IP::client_addr] 
&nbsp;   } 
&nbsp; }

johnkrum_45755 · Answer

I was able to test  
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp; insert XFF if it doesn't exist  
&nbsp; if {not [HTTP::header exists "X-Forwarded-For"]} {  
&nbsp; HTTP::header insert X-Forwarded-For [IP::client_addr]  
&nbsp; }  
&nbsp; } 
&nbsp;  
&nbsp; today and if I look at the cookie I see both IP addresses inserted. 198.177.94.250 and 10.129.14.248 
&nbsp;  
&nbsp; auroraSSO=266391041180ICONNECTEMPHAGA                          BILLY               https://caregiverconnect.aurora.org198.177.94.250, 10.129.14.2481364235987888AdqO34nrlPBoHQNreOq+OepatfI= 
&nbsp;  
&nbsp; Any adjustments that I can make to have get this to work? 
&nbsp; To be more clear -  
&nbsp; 1) if the connection is internal to our network the request goes directly to the F5 vip and XFF is inserted 
&nbsp; 2) if the connection is external to our network the request hits a Netscaler which inserts the XFF and the connection is passed on to the F5 VIP 
&nbsp;     The iRule should see the XFF and not over write or insert a new one.  
&nbsp;  
&nbsp; Thanks &nbsp;

what_lies_bene1 · Answer

Sorry but can you clarify the issue please? You mention you are looking at a cookie, I'm not sure what this has to do with XFF HTTP Headers. How are you checking whether the header is inserted or not? Can you confirm the name and case of the header the Netscaler is inserting?

johnkrum_45755 · Answer

Steve, 
&nbsp; Your right, that is inserted in the get. I have a question asking how the developers are pulling that address to build the cookie I displayed above. I could get a packet capture if need be. I will keep you posted. 
&nbsp; Thanks,

Forum Discussion

Check to see if XFF is present, if so don't insert XFF

4 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Viprion End of Software Support (EoSS)

Restore configuration to GTM Sync Group device

Questions on device trust

BIG‑IQ: Adding rSeries/Velos Devices through the REST API

AppWorld DC Booth Kiosk Generator

Related Content

BIG-IP security hardening and compliance checks

Strict header Insertion

Security Headers Insertion

F5 SLEDFest 2022 Tallahassee Edition - Infrastructure Modernization presentation

F5 SLEDFest 2022 Tallahassee Edition - Enterprise Application Strategy presentation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS