For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Erik_27939's avatar
Erik_27939
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

Drop single request based on header value

We are trying to setup an iRule that will drop a request that has a matching IP in a datagroup. In this scenario, the connections are persistent so all of the HTTP requests are coming down the same c...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 14, 2013

Yours should work, but here's a minor modification:

when HTTP_REQUEST {
    if { ( [HTTP::header exists True-Client-IP] ) and not ( [HTTP::header True-Client-IP] equals "127.0.0.1" ) } {
        set trueIP [HTTP::header True-Client-IP]
    } else {
        set trueIP [IP::client_addr]
    }
    if { [class match $trueIP equals block_list] } {
        discard
    }
}

You're allowing the client, or perhaps an upstream proxy, to set a header (True-Client-IP). If that header exists, use it in the class match, otherwise use the client's IPas seen by the F5. If a match is found, discard the request. Is that your intention?