Forum Discussion
CirrusHow can we replace multiple IPs in an existing X-forwarded-for header with a single originating client IP before sending traffic to backend
NacreousHi
If you want to completely replace the XFF header then this should do it
when HTTP_REQUEST {
if {[HTTP::header exists "X-Forwarded-For"]}{
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" "[IP::client_addr]"
}
}
sricharan61Hi Iaine
Thanks for your response.
Going by the security procedures here, I would not really want to remove the complete x-forwarded-for header and insert a new one even though thats a solution too. I was hoping F5 could only remove any other ips within the x-forwarded-for header(for the cases where the hops before F5 and after the origin client are already adding the x-forwarded-for header ) and replace it with only the origin client ip when it receives the request and send it to backend servers so they dont have to worry about which IP is the origin IP, the left most or the right most.
Let me know if this is not a good solution too, we may have to go back to the best or the simplest solution here if this is only complicating things.
