Forum Discussion

Cirrus

Mar 15, 2016

Multiple X-Forwarded-For ip address

We have enabled X-Forwarded-For on F5 and in apache we have added following code LogFormat blah...\"user-agent\": \"%{User-agent}i\", \"client\": \"%{X-Forwarded-For}i\",...blah Now i am doing ex...

Cirrus

Absolutely. In your HTTP profile, make sure Accept XFF is not check. Are you adding X-Forwarded-For via iRule or your HTTP profile?

Brad_Parker

Cirrus

Mar 16, 2016

So in your HTTP profile you are right you should enable X-Forwarded-For since you are using SNAT, but you don't want to accept an X-Forwarded-For from someone else. That's what that check box for "Accept XFF" is for. It prevents the forged header from being excepted.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Multiple X-Forwarded-For ip address

Recent Discussions

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

iRule for client certificate verification and inserting CN

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Performance L4 VS - HTTPS [X-forwarded-for]

X-Forwarded-For HTTP Module For IIS7, Source Included!

Use x-forwarded-for to bypass authentication?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS