Forum Discussion
plavender_72604
Nimbostratus
NimbostratusDenying x-forwarded-for and true-client-ip optimisation
Hello,
I have found the following iRule that has been posted:
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set xff [HTTP::header "X-Forwarded-For"]
xff may be in format of addr1,addr2,addr3
set addrs [split $xff ","]
foreach addr $addrs {
if { [matchclass $::banned_addr_list equals $addr] } {
reject
}
}
}
}
I would like to be able to also search in the true-client-ip header as well and have both parts reference a different class list. So, I am guessing that both parts of the iRule would like this:
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set xff [HTTP::header "X-Forwarded-For"]
xff may be in format of addr1,addr2,addr3
set addrs [split $xff ","]
foreach addr $addrs {
if { [matchclass $::banned_addr_list equals $addr] } {
reject
}
}
}
}
when HTTP_REQUEST {
if { [HTTP::header exists "True-Client-IP"] } {
set xff [HTTP::header "True-Client-IP"]
xff may be in format of addr1,addr2,addr3
set addrs [split $xff ","]
foreach addr $addrs {
if { [matchclass $::banned_addr_list equals $addr] } {
reject
}
}
}
}
But I am not going very good at scripting and don't know how to combine them.
Any help would be great!
- Combining the two iRules is as easy as just copying the section that isn't duplicate code from one, and pasting it into the other.
What you'd end up with is something like this:when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { set xff [HTTP::header "X-Forwarded-For"] xff may be in format of addr1,addr2,addr3 set addrs [split $xff ","] foreach addr $addrs { if { [matchclass $::banned_addr_list equals $addr] } { reject } } } if { [HTTP::header exists "True-Client-IP"] } { set xff [HTTP::header "True-Client-IP"] xff may be in format of addr1,addr2,addr3 set addrs [split $xff ","] foreach addr $addrs { if { [matchclass $::banned_addr_list equals $addr] } { reject } } } }
HTH,
Colin
