Forum Discussion
Help with X-Forwarded-For iRule
We have many (over 500) Public VIP that we need to insert the client IP in the header for security reasons. When i enabled X-Forwarded-For in the HTTP profile the developer informed me they are receiving WAY too many characters in the header and it causes issues on the database. So i figured out those values are being inserted before it reaches our network. So i configured the iRule (below) but its still causing the character limit issue on the database but i did notice 1 thing that caught my eye. Its inserting the VLAN ID after the client address. Has anyone experienced this before or knows how this can be fixed using the iRule?
iRule:
when HTTP_REQUEST {
log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}
Value being logged on LTM:
Orig XFF: X.X.X.X (IP removed for security reasons)
New XFF: X.X.X.X%1000 (IP removed for security reasons)
Developwer confinmed they see this in the logs:
X.X.X.X%1000 (IP removed for security reasons)
I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE { log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]" HTTP::header remove "X-Forwarded-For" HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1] log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]" }
.
- JGCumulonimbus
I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE { log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]" HTTP::header remove "X-Forwarded-For" HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1] log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]" }
.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com