Forum Discussion
Jeremy_Alons_40
Nimbostratus
Nimbostratusmatchclass and custom header values
Greetings,
I'm inserting true-client-ip (forwarded from Akamai to show us the actual client's IP address, not Akamai's edge server that's servicing the request) via an iRule:
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
HTTP::header insert x-forwarded-for [IP::remote_addr]
} elseif { [HTTP::header exists "true-client-ip"] } {
HTTP::header insert true-client-ip [IP::remote_addr]
}
}
I'm now trying to compare this value with a class containing banned IP addresses (some networks, some hosts) with the following rule:
when HTTP_REQUEST {
if { [matchclass [HTTP::header value true-client-ip] equals $::banned_ip_addresses ] } {
log local0. "[HTTP::header value true-client-ip]"
drop
return
}
}
banned_ip_addresses contains an IP I'm passing through the VS that has this iRule applied to it, so I know I should be able to trigger this, yet can not. If I log out the value of [HTTP::header value true-client-ip] I can see the IP address, yet believe the disconnect is in that the value of true-client-ip isn't matching the class type address.
Basically, can I cast [HTTP::header value true-client-ip] to whatever the matchclass wants? Or am I doing something else completely wrong here.
1 Reply
hoolioCirrostratus
TCL isn't really a strongly typed language, so you can use the string from the header value output to compare with the address type datagroup.
Are you using the two iRules together? If so, you're overwriting the XFF and true-client-ip header values with the actual IP address LTM sees in the TCP connection. If that's not the case, try logging the header value and the banned_ip_addresses class in the rule. If it's still not clear, try posting the anonymized log output.
Aaron
