For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

david_20684's avatar
david_20684
Icon for Nimbostratus rankNimbostratus
May 08, 2008

IP address and domain name restrictions in IIS

Has anyone come up with a solution for "IP Address and Domain Name Restrictions" settings in IIS behind an f5?     I would like to restrict access to our web servers running a private appli...
microsoft
partner
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 09, 2008
You can remove all existing XFF headers and insert a new value using this iRule: 

  
 when HTTP_REQUEST {  
    
     Remove all XFF headers, if present 
    while {[HTTP::header exists X-Forwarded-For]}{  
  
        Log a debug message for deleting the current XFF header  
       log local0. "Removing XFF: [HTTP::header value X-Forwarded-For]"  
    
        Remove the current XFF header  
       HTTP::header remove X-Forwarded-For  
    }  
     Now that no XFF headers exist, insert a new one  
    HTTP::header insert X-Forwarded-For [IP::client_addr]  
 }

This will ensure that only the BIG-IP XFF value is included in requests sent to the server. You'll need to parse the XFF header value to get the original IP address the BIG-IP received.

Aaron