Forum Discussion
jzitnik
Nimbostratus
NimbostratusHeader injection rule
Hello everyone.
I need to make a rule that injects a header value based on the presence of specific client side IP addresses 192.168.0.1, 192.168.0.2, 192.168.0.3 Etc..
What I think it would be is something like:
when HTTP_REQUEST {
if { [HTTP::host] eq "hostname" }{
pool POOL_NAME
}
and then an if statement with the allowed IPs
Don't know if I need the X-Forwarded-For value here?
and then HTTP::header insert "valuename" "allow"
We have a proxy on the back end that will read the value and allow access to the backend server based on the presence of the "allow" value in the header injection.
Sorry, My F5 skills are basic at best.
I believe the following should work for you and you shouldn't need X-Forwarded-For.
when HTTP_REQUEST priority 500 { if { [class match -- [IP::client_addr] equals "datagroup_name" ] } { HTTP::header insert proxy_action "trusted" } if { [HTTP::host] eq "myhost.mydomain.com" } { pool MYPOOL } }
- Aswin_mk
Cumulonimbus
If your backend need to get actual source ip address, please allow x-forward-for n http profile
If any specific ips only need to pool, you have to create source group or create a irule for the allow
jzitnikWe already check for the x-forward-for
- Aswin_mk
Hi,
Do you want only need to allow specific ips or need to allow all ips and need to add header on specific ips
If you want to allow only specific ips, then create a source group and add custom header in http profile. Use below article
https://my.f5.com/manage/s/article/K57354286
- jzitnik
I see that article. I see how to insert a custom header. I don't see how to insert a custom header based on the client request of a specific address.
If host = mypubliccnametoaddress.mydomain.com
if address is member of address group
insert value
We're already getting the X-Forward-For address, what we need to do is look at that address, and if the X-Forward-For address matches the four addresses we want to allow, and the traffic is bound for a specific pool, insert a value. If not, do nothing. Once the traffic passes through the F5, our proxy looks for the inserted value and allows or denies based on the request.
- jzitnik
Would this irule work?
when HTTP_REQUEST {
if { [HTTP::host] eq "myhost.mydomain.com" } {
pool MYPOOL
}
if { [IP::addr [IP::client_addr] equals "datagroup_name" ] } {
HTTP::header insert "valuename" "trusted"
}If the client_addr comes from X-Forward-For and there is a data group named datagroup_name and an ip address is in that group, will it add "trusted"
- jzitnik
sorry I think this should be
when HTTP_REQUEST {
if { [HTTP::host] eq "myhost.mydomain.com" } {
pool MYPOOL
}
if { [class match [IP::client_addr] equals "datagroup_name" ] } {
HTTP::header insert "valuename" "trusted"
}- Paulius
MVP
I believe the following should work for you and you shouldn't need X-Forwarded-For.
when HTTP_REQUEST priority 500 { if { [class match -- [IP::client_addr] equals "datagroup_name" ] } { HTTP::header insert proxy_action "trusted" } if { [HTTP::host] eq "myhost.mydomain.com" } { pool MYPOOL } }- jzitnik
What do the two "--" do after the class match?
- Aswin_mk
Is it worked after applying irules. Please let me know the working status
Br
Aswin
- jzitnik
The irule worked. We had a check on the proxy that allowed or denied based on the value and it worked. We had a different issue that caused a different problem, although it did help us figure out another issue we were not aware of. Thanks everyone for your help.
