Forum Discussion
NimbostratusRemove additional IP from XFF HTTP Header
I setup an LTM VIP with an iRule to XFF the client_addr in the HTTP header to destination but the traffic goes through a WAF. The WAF is adding a second IP to the HTTP Header which is the Float IP of the F5. From The WAF traffic is then sent to another LTM VIP which has the real server in the pool. Our security monitoring is looking at the 2nd IP (F5 Float IP) as client source and is unable to know the first IP is actually the client IP. On the VIP after the WAF I wanted to add an iRule to strip away the 2nd IP (Float IP) in the header. Here is the iRule I am using on initial LTM VIP;
when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" } else { HTTP::header insert X-Forwarded-For [IP::client_addr] } }
My first thought was use a variation of this iRule on VIP after the WAF but how could I make sure the F5 knows replace with the original client_addr and not the IP from the WAF?
17 Replies
Morten_Marstra1Cirrus
Do you have control of all these devices? If so, is there any reason why you cannot remove the functionality that is inserting an XFF header on the WAF?
That way, you would only have the original client ip in the XFF header.
dwillis619_3073The issue is with the WAF is it only has the ability to either have XFF enabled which it adds the 2nd IP or turned off and then it does not forward anything.
- Morten_Marstra1
Hi,
You could try this iRule on the backend LTM VIP. I haven't tested it, but it should work, as long as the ip's are split by a ","
when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { set original_ip [getfield [HTTP::header "X-Forwarded-For"] "," 1] HTTP::header replace "X-Forwarded-For" original_ip } } - dwillis619_3073
Great thanks I will give that a try.
Morten_MarstranDo you have control of all these devices? If so, is there any reason why you cannot remove the functionality that is inserting an XFF header on the WAF?
That way, you would only have the original client ip in the XFF header.
- dwillis619_3073
The issue is with the WAF is it only has the ability to either have XFF enabled which it adds the 2nd IP or turned off and then it does not forward anything.
- Morten_Marstran
Hi,
You could try this iRule on the backend LTM VIP. I haven't tested it, but it should work, as long as the ip's are split by a ","
when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { set original_ip [getfield [HTTP::header "X-Forwarded-For"] "," 1] HTTP::header replace "X-Forwarded-For" original_ip } } - dwillis619_3073
Great thanks I will give that a try.
- dwillis619_3073
when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [substr [IP::client_addr] 0 ","] }
