Forum Discussion

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus
Feb 02, 2023

TCP Option 28 X-Forwarded-For Header

Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP.  I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header.  I ...
application delivery
  • xuwen's avatar
    xuwen
    Feb 03, 2023

    when CLIENT_DATA {
    set opt28 [TCP::option get 28]
    if { [string length $opt28] == 4 } {
    binary scan $opt28 H8 addr
    scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
    set optaddr "$ip1.$ip2.$ip3.$ip4"
    log local0. "optaddr is $optaddr"
    log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
    }
    }

xuwen's avatar
xuwen
Icon for Cumulonimbus rankCumulonimbus
Feb 03, 2023

Have you bound the created  tcp_option profile in this VS?

create ltm profile tcp PROFILE_NAME tcp-options “{option <first|last>} {option <first|last>}”

Can you give the configuration of list ltm virtual xxx and list ltm profile tcp tcp_option_XX and the error log in /var/log/ltm

  • f5gurunot's avatar
    f5gurunot
    Icon for Cirrus rankCirrus
    Feb 03, 2023

    Just ran the following and not getting connection reset anymore.

    tmsh create ltm profile tcp tcp_opt tcp-options "{28 first}"

    However, still not seeing the Client IP.

    Also, tried changing the HTTP_REQUEST to:


    when HTTP_REQUEST {
    if {$proto} {
    HTTP::header insert X-Forwarded-Proto https
    }
    else {
    HTTP::header insert X-Forwarded-Proto http
    }
    if { [info exists optaddr] } {
    HTTP::header insert X-Forwarded-For $optaddr
    }
    }

    • xuwen's avatar
      xuwen
      Icon for Cumulonimbus rankCumulonimbus
      Feb 03, 2023

      can you insert a code below "set opt28 [TCP::option get 28]"

      log local0. "tcp option 28 length is [string length $opt28]"

       and show the log give me, tail -f /var/log/ltm

      • f5gurunot's avatar
        f5gurunot
        Icon for Cirrus rankCirrus
        Feb 03, 2023

        Feb  2 19:58:26 bigip01.web.test.com info tmm3[12700]: Rule /Common/Akamai_Opt28 <CLIENT_ACCEPTED>: tcp option 28 length is 0

  • f5gurunot's avatar
    f5gurunot
    Icon for Cirrus rankCirrus
    Feb 03, 2023

    ltm virtual test_443 {

        destination 5.5.5.5:https

        ip-protocol tcp

        last-modified-time 2023-02-02:18:49:31

        mask 255.255.255.255

        policies {

            asm_auto_l7_policy__test_443 { }

        }

        pool test_80

        profiles {

            ASM_WebASM_US_ONLY { }

            analytics { }

            http { }

            manual_test.com {

                context clientside

            }

            tcp-analytics { }

            tcp_opt { }

            websecurity { }

            websocket { }

        }

        rules {

            Akamai_Opt28

        }

        security-log-profiles {

            "Log illegal requests"

        }

        serverssl-use-sni disabled

        source 0.0.0.0/0

        source-address-translation {

            type automap

        }

        translate-address enabled

        translate-port enabled

        vs-index 40

    }


    ltm profile tcp tcp_opt {

        app-service none

        tcp-options "{28 first}"

    }