For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tony2020's avatar
Tony2020
Icon for Nimbostratus rankNimbostratus
Jun 27, 2016

Parse XFF header for Client IP and allow based on URI and DataGroup match

Hi Guys,   I am trying to restrict access to certain URIs and looking at the XFF header (read/strip) from an iRule but having issue paring the IPs from XFF to make logical decision off of it.   B...
devops
iRules
Vijay_E's avatar
Vijay_E
Icon for Cirrus rankCirrus
Jun 27, 2016

I am using 2 datagroups - CLASS_RESTRICTED_URI is string datagroup with the 2 URI. CLASS_RFC1918 has the private address space (RFC1918).

Untested example that may answer your requirements:

when HTTP_REQUEST {
 if { [class match [HTTP::uri] eq "CLASS_RESTRICTED_URI"] } {
  if { ( not ([class match [IP::client_addr] eq "CLASS_RFC1918"])) } {
    drop
  } elseif { ([HTTP::header exists "X-Forwarded-For"]) and ([HTTP::header values X-Forwarded-For] ne "") and ([class match [HTTP::header "X-Forwarded-For"] eq "CLASS_RFC1918"]) } {
    pool POOL_WEB_SERVERS
  } else {
    drop
  }
}
}