Forum Discussion

Altocumulus

Jan 03, 2020

irule to reject user defined headers

Hi , We have an issue after enabled X-forwarded-for in f5. Dev found a vulnerability thats users allowed able to put code injection by manipulating http headers.May I know if there is any irul...

Cumulonimbus

Jan 03, 2020

Understood. So the iRule I send should do the trick. You could also do the same thing with an LTM Policy if you prefer.

With this iRule :

Any header received on the public part is removed
F5 takes the Client IP address, and inserts the X-Forwarded-For header himself (hence the client cannot manipulate the values, and send injections...)

The if the external users goes through a proxy, of course, the client IP address will be the proxy IP, not the real client IP behind the proxy. Is that enough ?

If not, then you will need to allow the header and check it's value...

Yoann

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

irule to reject user defined headers

Recent Discussions

APM RDP custom parameters

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Related Content

(HTTP) Redirection via Arbitrary Host Header

F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP headers

Trouble redirecting on APM rejection.

Log Http Headers

F5 NGINX HTTP Request Header Rules: What’s Permitted and What’s Not

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS