For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Pirlo's avatar
Pirlo
Icon for Nimbostratus rankNimbostratus
Mar 29, 2010

Syntax and Effeciency check

Trying to verify syntax and efficiency for the following rule.     Essentially this is a HTTP vip that needs XFF redirection to a dummy pool if the address matches the data group list. ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 01, 2010
You'd need to parse out the IP's from the XFF header value. Can you configure whatever device is inserting the XFF to use a more unique header name? If not, you could use something like this to parse comma separated IPs: 

  
 when HTTP_REQUEST { 
  
     Select the prodpool by default 
    pool prodpool 
  
     Check if XFF header has a value 
    if {[HTTP::header "X-Forwarded-For"] ne ""}{ 
  
        Some proxies append their XFF value to any existing XFF header. 
        Check if XFF header value contains a comma 
       if {[HTTP::header "X-Forwarded-For"] contains ","}{ 
  
           Remove any spaces in the string, and then split it into a list on commas 
          set xff [split [string map {" " ""} [HTTP::header value "X-Forwarded-For"]] ","] 
  
           Get the last comma separated value from the XFF header 
          set xff [lindex $xff [expr {[llength $xff]} - 1]] 
  
       } else { 
          set xff [HTTP::header "X-Forwarded-For"] 
       } 
  
        Check if XFF value is in the class 
       if {[matchclass $xff equals $::pre_test_address_list]} { 
          pool dummypool 
       } 
    } 
 }

Note, I'm assuming you only want to check the last IP in the XFF header value. You could also loop through each IP and check it against the class. But then you'd be checking more than your proxy's XFF value.

Aaron