Forum Discussion

satish_txt_2254's avatar
satish_txt_2254
Icon for Cirrus rankCirrus
Mar 15, 2016

Multiple X-Forwarded-For ip address

We have enabled X-Forwarded-For on F5 and in apache we have added following code

LogFormat blah...\"user-agent\": \"%{User-agent}i\", \"client\": \"%{X-Forwarded-For}i\",...blah

Now i am doing experiment and sending forge X-Forwarded-For using Modify Header plugin on Chrome browser.

In apache logs i am seeing two IP addresses. like following 123.123.123.123 is fake IP.

"client": "123.123.123.123, 210.76.39.145"

Question: is there a way in apache/F5 LogFormat to extract only last IP address which is valid one?

application delivery
BIG-IP
f5
security
x-forwarded-for
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Mar 15, 2016

    Absolutely. In your HTTP profile, make sure Accept XFF is not check. Are you adding X-Forwarded-For via iRule or your HTTP profile?

     

    • satish_txt_2254's avatar
      satish_txt_2254
      Icon for Cirrus rankCirrus
      Mar 15, 2016
      I need XFF header because i am using SNAT "automap" in F5. I am using HTTP Profile. When i am doing testing and adding forge X-Forwarded-For header using curl -H "X-Forwarded-For: 123.123.123.123" then my apache logs showing two IP address in logs.. I want only single IP instead two
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Mar 16, 2016
      So in your HTTP profile you are right you should enable X-Forwarded-For since you are using SNAT, but you don't want to accept an X-Forwarded-For from someone else. That's what that check box for "Accept XFF" is for. It prevents the forged header from being excepted.
    • satish_txt_2254's avatar
      satish_txt_2254
      Icon for Cirrus rankCirrus
      Mar 16, 2016
      Sorry i got it what you saying `Accept XFF` is already unchecked. then still why it's accepting XFF header?
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Mar 15, 2016

    Absolutely. In your HTTP profile, make sure Accept XFF is not check. Are you adding X-Forwarded-For via iRule or your HTTP profile?

     

    • satish_txt_2254's avatar
      satish_txt_2254
      Icon for Cirrus rankCirrus
      Mar 15, 2016
      I need XFF header because i am using SNAT "automap" in F5. I am using HTTP Profile. When i am doing testing and adding forge X-Forwarded-For header using curl -H "X-Forwarded-For: 123.123.123.123" then my apache logs showing two IP address in logs.. I want only single IP instead two
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Mar 16, 2016
      So in your HTTP profile you are right you should enable X-Forwarded-For since you are using SNAT, but you don't want to accept an X-Forwarded-For from someone else. That's what that check box for "Accept XFF" is for. It prevents the forged header from being excepted.
    • satish_txt_2254's avatar
      satish_txt_2254
      Icon for Cirrus rankCirrus
      Mar 16, 2016
      Sorry i got it what you saying `Accept XFF` is already unchecked. then still why it's accepting XFF header?
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Mar 16, 2016

    This is really an Apache question.

    If you are running Apache 2.4, there is a mechanism for you to specify which addresses to trust in the XFF header and what to log. Consult Apache 2.4 documentation on how to do this.

    If you want a quick hack for this on the F5, this is not a new question. You can start with the following old thread:

    https://devcentral.f5.com/questions/x-forwarded-for-returning-multiple-ips