Forum Discussion
CirrusHow can we replace multiple IPs in an existing X-forwarded-for header with a single originating client IP before sending traffic to backend
CumulonimbusOn the subject of security, XFF can be forged easily, and therefore should not be relied upon for serious purposes. You should only trust the IP address of the peer of the connection.
I would create a custom HTTP profile for your virtual server, accept the default setting for "Accept XFF", which is unchecked, and enable "Insert X-Forwarded-For", which would place the IP address of the connection peer in the header.
Alternatively, you can accept incoming XFF, and let the backend application to log XFF, and do whatever they want to with the header data. Vendors of various Web servers mostly have instructions available on how to log XFF.
[Edited]
sricharan61Thank you
Just wondering, when F5 adds the peer IP address and its own outgoing interface in the header while we have the Insert X-forwarded-for header, the incomming peers IP would be the left most or the right most, this is a question the web server team wants to know before we move some of their applications to go through F5 from a legacy load balancer.
