For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Luechte2's avatar
Robert_Luechte2
Icon for Cirrus rankCirrus
Aug 26, 2019

Setting serverside IP address to value received in x-forwarded-for header

I have an interesting situation involving SNAT, and haven't been able to find any existing answers.   There is a website that goes to a third party location first. After their processing, the ...
application delivery
iRules
LTM
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Aug 27, 2019

I am providing this iRule as an example - however I'm not 100% if it work.

Firstly, you need to be confident that return traffic will be directed to the F5 as the only option to change the client IP address is to SNAT the source IP. i.e. your back end servers need to have F5 as the default gateway.

F5 should un-NAT the address for return flows but I've never done this with an IP address that isn't in the same range as a self IP on the device. 

when HTTP_REQUEST {
    if {[HTTP::header exists "X-Forwarded-For"]} {
        snat [HTTP::header value "X-Forwarded-For"]
    }
}