Forum Discussion
Jose_Cruz
Altostratus
AltostratusHelp with X-Forwarded-For iRule
We have many (over 500) Public VIP that we need to insert the client IP in the header for security reasons. When i enabled X-Forwarded-For in the HTTP profile the developer informed me they are recei...
I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE { log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]" HTTP::header remove "X-Forwarded-For" HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1] log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]" }.
JG
Cumulonimbus
CumulonimbusI would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.
when HTTP_REQUEST_RELEASE {
log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}.
Jose_CruzAltostratus
Altostratusi still see the %1000 after the IP and now i also see the self ip after the client IP
Orig XFF: X.X.X.X (IP removed for security reasons)
New XFF: X.X.X.X%1000,XX.XXX.XXX.X (IP removed for security reasons)
- JG
Are you saying that "New XFF" _added_ "%1000"?
- Jose_Cruz
Yeah the iRule example you provided above adds the route domain to the new XFF value (same as my iRule did) but it also inserts the self ip. But i found an iRule that fixed the issue. Now i just need to make sure even if someone tries to spoof the IP i log the correct ip.
Modifying the HTTP X-Forwarded-For header to remove the route domain suffix
- JG
Ah I see, mine had the quotes, which I shall remove.
- Jose_Cruz
That worked perfectly, i just removed the second ",[getfield [IP::local_addr] % 1]" since i dont want it to log the Self IP.
when HTTP_REQUEST_RELEASE {
log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1]
log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}
I spoofed my IP and the iRule removed the spoofed ip and inserted my real public IP.
Thank You for your help.