Forum Discussion
Derek_Nelson_10
Nimbostratus
NimbostratusHTTP header searching
Hi all.
Can someone help me with my understanding of searching http headers using iRules please?
I have a pool that inserts this in the http header:
ConnectionSourceIP:${client_addr}
What I want to do is with an iRule check for the existence of this in the header before the pool, and discard. i.e.
if (exists http_header "ConnectionSourceIP") {
log "IP Header Spoof from:${client_addr}"
discard
}
else {
use pool pool_1
}
sort of thing. What I want to do is stop someone trying to spoof source IP address as this header field will be checked by the web application.
Any ideas? Will this work or is there a better way?
Thanks
- Derek.
- Derek,
your solution should work. It is by no means a bullet proof security, but detecting that somebody is trying to send you headers that (s)he has no business knowing about is a good indication of attack attempts. 
Derek_Nelson_10Great feedback. Thanks.
A final question is:
Do I have to add a space character in the insertion, after the colon?
i.e. ConnectionSourceIP: ${client_addr}
or would
ConnectionSourceIP:${client_addr}
still work?
I haven't tried to do fake header insertion (not quite sure how to do this yet) to test...
Cheers,
- Derek.- Derek_Nelson_10Thanks. I was thinking more of for the iRule that checks for existence of the header. If the header is inserted without a space after the colon does it cause problems? or does some protocol magic put one in, etc?
Thanks,
- Derek. - In general BIG-IP follows syntax rules defined in RFC2616 when parsing HTTP requests and responses. All it needs to see in order to detect presence of a header is "header_name:" at the beginning of a line. The rest of the line does not matter. BTW, header matching is case in-sensitive.
