IP address and domain name restrictions in IIS

Hi David,

 

 

The BIG-IP allows you to insert a custom HTTP header (X-Forwarded-For) with the original source IP address with a single click of the button. As it was being used for access control, I gave a suggestion of using an iRule to ensure that only the BIG-IP's header is passed on. Of course, depending on which web server platform you're using, you need to configure the web server to do something with that custom HTTP header. To log the value with Apache, it's a matter of changing a configuration option. In IIS, you need to use an ISAPI filter--which F5 provides. For access control, it's not so easy as the ACL is probably done before the HTTP headers are parsed.

 

 

You can definitely enforce an ACL based on requested URI and/or source IP address on the BIG-IP using an iRule and a couple of datagroups. There are a few examples in the Codeshare and a lot of forum posts with examples.

 

 

Short of having an option to automatically removing all existing XFF headers before inserting a new one, I don't think it would be possible for another load balancer to handle this scenario better. All BIG-IP and any other load balancer is doing in this scenario is changing the source IP address. How would another load balancer not require changes to the server in order to use the header?

 

 

Aaron

 

 

Aaron