Forum Discussion

Wasfi_Bounni's avatar
Wasfi_Bounni
Icon for Cirrocumulus rankCirrocumulus
Apr 29, 2021

How does the LTM deal with a XFF header with two values

Hi;

 

How does the LTM deal with an X-Forwarded-For header that has two values. Does it use the last value inserted? If not, how can I make it use the last value inserted?

 

What about two occurances of an X-Forwarded-For header. Does it use the second occurance "the one below the first one"? or does it use the first one?

 

If it uses the first occurance, how can I make it use the second occurance.

 

Kindly

Wasfi

 

 

  • how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

     

    are you using a local traffic policy or irule to read / use it?

     

    in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

     

    if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

     

    see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

     

     

3 Replies

  • how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

     

    are you using a local traffic policy or irule to read / use it?

     

    in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

     

    if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

     

    see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

     

     

    • Wasfi_Bounni's avatar
      Wasfi_Bounni
      Icon for Cirrocumulus rankCirrocumulus

      Thank you Boneyard. I cannot find the option to mark your answer as best answer anymore. Basicaly, there is an upstream device adding the XFF but the worry is some internal hacker adding his/her XFF before this upstream device yielding two XFF headers or header values upon reaching the BIG-IP.

  •  

     

    I think you are seeing or trying to eliminate the security issue where multiple addresses could be forged as client ip address in the XFF header. Beginning in v13, there will be 1 XFF header with multiple addresses could be seen on the header, prior to v13, there were multiple XFF headers.

     

    To overcome this, you can use below block code,

    when HTTP_REQUEST { 
    while {[HTTP::header exists X-Forwarded-For]} { 
    HTTP::header replace "X-Forwarded-For" [IP::client_addr] 
    }
    }