For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jose_Cruz's avatar
Jose_Cruz
Icon for Altostratus rankAltostratus
Aug 06, 2019
Solved

Help with X-Forwarded-For iRule

We have many (over 500) Public VIP that we need to insert the client IP in the header for security reasons. When i enabled X-Forwarded-For in the HTTP profile the developer informed me they are recei...
application delivery
devops
iRules
LTM
x-forwarded-for
  • JG's avatar
    JG
    Aug 06, 2019

    I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.

    when HTTP_REQUEST_RELEASE {
    log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
    HTTP::header remove "X-Forwarded-For"
    HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
    log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
}

    .

Jose_Cruz's avatar
Jose_Cruz
Icon for Altostratus rankAltostratus
Aug 06, 2019

i still see the %1000 after the IP and now i also see the self ip after the client IP

 

Orig XFF: X.X.X.X (IP removed for security reasons)

New XFF: X.X.X.X%1000,XX.XXX.XXX.X (IP removed for security reasons)

JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Aug 06, 2019

Are you saying that "New XFF" _added_ "%1000"?