For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jul 29, 2023
Solved

Difference between Insert X-Forwarded-For and Accept XFF?

Hello
What is the difference between Insert X-Forwarded-For and Accept XFF in http profile?
Is it possible to enable both of these items in a custom http profile?

Do they have priority over each other or not?

 

Thanks

application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Jul 29, 2023

    Hi レザ,

    Accept XFF option does not insert a request header.

    Accept XFF: Enables or disables trusting the client IP, and statistics from the client IP address, based on the request's X-Forwarded-For (XFF) headers, if they exist.

    Note: This option has an effect only when you use either AVR or ASM L7 DoS profile (ASM required). For AVR, the Accept XFF option allows the BIG-IP system to trust and take into consideration IP addresses from the X-Forwarded-For header for statistics purposes. For an L7 DoS profile, the Accept XFF option allows the BIG-IP system to take action based on IP addresses from the X-Forwarded-For header that match, for example, an Access List.

    Insert X-Forwarded-For: When using connection pooling, which allows clients to make use of existing server-side connections, you can insert the X-Forwarded For header with the client IP address into a request. When you configure the BIG-IP system to insert this header, the target server can identify the request as coming from a client other than the client that initiated the connection.

    K40243113: Overview of the HTTP profile
    https://my.f5.com/manage/s/article/K40243113

1 Reply

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Jul 29, 2023

    Hi レザ,

    Accept XFF option does not insert a request header.

    Accept XFF: Enables or disables trusting the client IP, and statistics from the client IP address, based on the request's X-Forwarded-For (XFF) headers, if they exist.

    Note: This option has an effect only when you use either AVR or ASM L7 DoS profile (ASM required). For AVR, the Accept XFF option allows the BIG-IP system to trust and take into consideration IP addresses from the X-Forwarded-For header for statistics purposes. For an L7 DoS profile, the Accept XFF option allows the BIG-IP system to take action based on IP addresses from the X-Forwarded-For header that match, for example, an Access List.

    Insert X-Forwarded-For: When using connection pooling, which allows clients to make use of existing server-side connections, you can insert the X-Forwarded For header with the client IP address into a request. When you configure the BIG-IP system to insert this header, the target server can identify the request as coming from a client other than the client that initiated the connection.

    K40243113: Overview of the HTTP profile
    https://my.f5.com/manage/s/article/K40243113