Multiple XFF headers

Question

We have a situation where it may be possible for one LTM to insert the XFF and load-blance the packets to another LTM with another XFF set. 
&nbsp;  
&nbsp; I would like to have an iRule the checks for the existence of the XFF header and if it exists then do nothing... else add it in. This is waht I have but it doesn't seem to be working correctly, I am still getting 2 XFF headers in the payload. 
&nbsp;  
&nbsp; Any help would be appreciated 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   if {  
&nbsp;     [HTTP::header exists "X-Forwarded-For"]  
&nbsp; } 
&nbsp; { 
&nbsp;  Do nothing 
&nbsp;  } 
&nbsp; else 
&nbsp;  { 
&nbsp;     HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
&nbsp;   } 
&nbsp; }

dennypayne · Answer

I would try using "return" to exit from the HTTP_REQUEST event.

when HTTP_REQUEST {    
        if {[HTTP::header exists "X-Forwarded-For"]}    
          return     
       } else {    
          HTTP::header insert "X-Forwarded-For" [IP::client_addr]    
        }    
    }

Denny 
  
 EDIT: removed extra bracket

deb_allen_18 · Answer

HTTP::header replace will add replace the specified header if it's already there, or add it if it is not. 
&nbsp;  
&nbsp; /d

hoolio · Answer

I assume you've disabled XFF on the HTTP profile on the second set of LTM's? 
  
 You could also try logging what's happening:

when HTTP_REQUEST { 
    if {[HTTP::header exists "X-Forwarded-For"]}{ 
        Do nothing 
       log local0. "[IP::client_addr]:[TCP::client_port]: Existing XFF: [HTTP::header values "X-Forwarded-For"]" 
    } else { 
       HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
       log local0. "[IP::client_addr]:[TCP::client_port]: Added XFF: [HTTP::header values "X-Forwarded-For"]" 
    } 
 }

Aaron

colin_walker_12 · Answer

Don't forget that you don't really need a "do nothing" section of the rule at all.  You can accomplish the same thing with negative logic. 
&nbsp;  
&nbsp;  
 when HTTP_REQUEST {  
   if { !([HTTP::header exists "X-Forwarded-For"])}{  
     HTTP::header insert "X-Forwarded-For" [IP::client_addr]  
     log local0. "[IP::client_addr]:[TCP::client_port]: Added XFF: [HTTP::header values "X-Forwarded-For"]"  
   }  
 }  
  
&nbsp;  
&nbsp; Not that it matters a ton in this case, but in longer, more complex scenarios, this can save a fair amount of code.  Also, the header replace option is a good one, that way you should only ever end up with one. This is only an option if you aren't trying to preserve a previous XFF header though, obviously. 
&nbsp;  
&nbsp; Colin

kevin_nail · Answer

Thanks for all the help... I added the 'return' word and some quotes around the "X-Forwarded-For" value... It works just fine now.

Forum Discussion

Multiple XFF headers

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

XFF Header Persistence iRule

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

XFF Universal Persistence iRule

(HTTP) Redirection via Arbitrary Host Header

F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP headers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS