For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Raimist_1's avatar
David_Raimist_1
Icon for Nimbostratus rankNimbostratus
Jul 07, 2006

Looking for help with Incoming IP address within

We are utilizing a "one arm router" config and the remote IP address is coming from the LB. We are using "Insert XForwarded For" in the profile and F5 isapi filter to write the original/incoming IP a...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jul 07, 2006
Hi David,

In a one arm configuration, the BIG-IP can insert the original client IP address in the XForwarded-For header. After processing the request, the BIG-IP replaces the source IP address with the SNAT address.

You can still access the client IP address using 'IP::remote_addr' in the CLIENT_ACCEPTED, HTTP_REQUEST and other client side contexts.

If you want to perform ACL-type restrictions on the source IP address, you can create a datagroup (or class) of networks or IP addresses and then use the match_class function to see if the client's IP address meets your access criteria.


class my_hosts_networks_class  {
   network 10.0.0.0 mask 255.0.0.0
   host 192.168.0.100
}

rule filter_clients_rule {
   when CLIENT_ACCEPTED {
       set debug to 1 to enable logging to /var/log/ltm. Set to 0 to disable logging.
      set debug 1
      if { [matchclass [IP::remote_addr] equals $::my_hosts_networks_class] } {
         if { $debug } {
            log local0.info "Allowed client: [IP::remote_addr]"
         }
         pool http_pool
      } else {
         pool nonsecure_pool
      }
   }
}

On the other hand, if you're trying to parse the XForwarded-For header on the application server and make decisions based on that, I wouldn't know where to start.

Aaron