For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jakuub's avatar
Jakuub
Icon for Nimbostratus rankNimbostratus
Jun 13, 2019

F5 APM Client IP and X-Forwarded-For

Hello,

is there any possibility to change Client IP parameter in F5 APM for the value in X-Forwarded-For header? I have APM behind snat/dnat and I can see only one IP address accessing APM.

 

Thank you.

application delivery
BIG-IP Access Policy Manager (APM)

2 Replies

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Jun 13, 2019

    Just enable the 'Insert X-Forwarded-For' option in the HTTP profile that your virtual server is using.

  • Jakuub's avatar
    Jakuub
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2019

    You are not right but I fixed made it! Just disable restrict to single client IP check. Then you have to apply following iRule on all access-profile enabled VS.

     

    when HTTP_REQUEST {

       if { [HTTP::cookie exists "MRHSession"]} {

           set apmip [ACCESS::session data get session.user.clientip]

           set realip [HTTP::header X-Forwarded-For]

           if { ($apmip != $realip) && ($apmip != "") } {

               set sessionID [ACCESS::session sid]

               ACCESS::session remove -sid $sessionID

               HTTP::redirect "/my.logout.php3?errorcode=20"

           }

       }

    }

    when ACCESS_SESSION_STARTED {

       if {[HTTP::header exists X-Forwarded-For]}{

           set userip [HTTP::header X-Forwarded-For]

           ACCESS::session data set session.user.clientip $userip

       }

    }