Forum Discussion

Jo_'s avatar
Jo_
Icon for Nimbostratus rankNimbostratus
Aug 23, 2022

Problem persistent iRule

Within the login process, requests are send from a client towards our IDP. That same client also sends requests within the sale login process to a web server that in turn sends requests to our IDP.

The intention is that the requests that come directly from the client and those that go through the web server end up on the same IDP server.

The first IP within the X-Forwarded-For header always contains the client ip. Therefore the following IRule was configured:

if { $static::uri contains "/part_of_url" }{
  if { [HTTP::header exists "X-Forwarded-For"] }{
    persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0]
  }
}

Wat is the result?

Requests from the client directly to the IDP end up on the same IDP server and requests from the same client that go through the web server end up on another IDP. The first attribute of the X-Forwarded_For header is the same clientip for all requests. How can all requests from the same clientIP ends up on the same IDP server?

  • Hey Jo_  - thanks for posting and giving some detail. If you don't get an answer soon from the community, I'll ask one of my colleagues to chime in. 

  • Just posing some questions to think about, I am not well-versed in the specifics of setting up this configuration on APM.

    1. You are taking the first header in the list of potential X-Forwarded-For headers present, and then taking the first IP address from that header, correct? Is that always desired state?
    2. What event is that logic applied in?
    3. Also you have one-connect enabled? If not, you're evaluating on a per-connection basis, not a per-request basis.
    4. Finally, have you taken packet captures to evaluate your headers ahead of and after BIG-IP?