Forum Discussion
Help with X-Forwarded-For iRule
- Aug 06, 2019
I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE { log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]" HTTP::header remove "X-Forwarded-For" HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1] log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]" }
.
I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE {
log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}
.
- Jose_CruzAug 06, 2019Altostratus
i still see the %1000 after the IP and now i also see the self ip after the client IP
Orig XFF: X.X.X.X (IP removed for security reasons)
New XFF: X.X.X.X%1000,XX.XXX.XXX.X (IP removed for security reasons)
- JGAug 06, 2019Cumulonimbus
Are you saying that "New XFF" _added_ "%1000"?
- Jose_CruzAug 06, 2019Altostratus
Yeah the iRule example you provided above adds the route domain to the new XFF value (same as my iRule did) but it also inserts the self ip. But i found an iRule that fixed the issue. Now i just need to make sure even if someone tries to spoof the IP i log the correct ip.
Modifying the HTTP X-Forwarded-For header to remove the route domain suffix
- JGAug 06, 2019Cumulonimbus
Ah I see, mine had the quotes, which I shall remove.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com