For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tony2020's avatar
Tony2020
Icon for Nimbostratus rankNimbostratus
Jun 27, 2016

Parse XFF header for Client IP and allow based on URI and DataGroup match

Hi Guys,   I am trying to restrict access to certain URIs and looking at the XFF header (read/strip) from an iRule but having issue paring the IPs from XFF to make logical decision off of it.   B...
devops
iRules
Vijay_E's avatar
Vijay_E
Icon for Cirrus rankCirrus
Jun 28, 2016
when HTTP_REQUEST {
 if { [class match [HTTP::uri] eq "CLASS_RESTRICTED_URI"] } {
    if { ([HTTP::header exists "X-Forwarded-For"]) and ([HTTP::header values X-Forwarded-For] ne "") and ([class match [getfield [HTTP::header values X-Forwarded-For] " " 1] eq "CLASS_RFC1918"]) } {
    log local0."[HTTP::header X-Forwarded-For]"
    pool POOL_WEB_SERVERS
  } else {
    drop
  }
}
}

Another possible option:

when HTTP_REQUEST {
 if { [class match [HTTP::uri] eq "CLASS_RESTRICTED_URI"] } {
    if { ([HTTP::header exists "X-Forwarded-For"]) and ([HTTP::header values X-Forwarded-For] ne "") and ([class match [lindex [split [HTTP::header values X-Forwarded-For] " "] 0] eq "CLASS_RFC1918"]) } {
    log local0."[HTTP::header X-Forwarded-For]"
    pool POOL_WEB_SERVERS
  } else {
    drop
  }
}
}