Multiple X-Forwarded-For ip address

satish_txt_2254
Cirrus
Mar 15, 2016
I need XFF header because i am using SNAT "automap" in F5. I am using HTTP Profile. When i am doing testing and adding forge X-Forwarded-For header using curl -H "X-Forwarded-For: 123.123.123.123" then my apache logs showing two IP address in logs.. I want only single IP instead two
Brad_Parker_139
Nacreous
Mar 16, 2016
So in your HTTP profile you are right you should enable X-Forwarded-For since you are using SNAT, but you don't want to accept an X-Forwarded-For from someone else. That's what that check box for "Accept XFF" is for. It prevents the forged header from being excepted.
satish_txt_2254
Cirrus
Mar 16, 2016
Sorry i got it what you saying `Accept XFF` is already unchecked. then still why it's accepting XFF header?
Brad_Parker_139
Nacreous
Mar 16, 2016
Your other option is to use an Local Traffic Policy or an iRule to inject the X-Forwarded-For header. But rather than using the "insert" directive you would use "replace". That would ensure only one header could possibly be sent to the backend servers and a forged header won't be accepted. Replace will add the header if it doesn't already exist and over-write the header that was present if the client did try to send a forgery.
Brad_Parker_139
Nacreous
Mar 16, 2016
That's a good question on that behavior. I was under the impression that would ignore client submitted XXF headers. I will do more research on that behavior and see if that's expected. With that said I would highly recommend the policy or iRule I mentioned above. The irule is very simple. when HTTP_REQUEST { HTTP::header replace "X-Forwarded-For" [IP::client_addr] }
satish_txt_2254
Cirrus
Mar 16, 2016
Can you provide me full iRule? also is there any performance impact with iRule?? we are running almost 1000TPS
Brad_Parker_139
Nacreous
Mar 16, 2016
UPDATED "when HTTP_REQUEST { HTTP::header replace "X-Forwarded-For" [IP::client_addr] }" is the full iRule. The performance hit wouldn't be any more than the HTTP profile inserting the header(which is to say very very minimal).
satish_txt_2254
Cirrus
Mar 17, 2016
You rule is giving error, look like format issue... are you sure thats the correct rules.. I think it should start with `when...`
Brad_Parker_139
Nacreous
Mar 17, 2016
Yep, should start with when. looks like a missed that in the copy paste from one comment to the other.

Forum Discussion

Multiple X-Forwarded-For ip address

Recent Discussions

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

Problem with lets encrypt and redirect after update

iRule for client certificate verification and inserting CN

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Performance L4 VS - HTTPS [X-forwarded-for]

X-Forwarded-For HTTP Module For IIS7, Source Included!

Use x-forwarded-for to bypass authentication?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS