Forum Discussion
f5gurunot
Cirrus
CirrusTCP Option 28 X-Forwarded-For Header
Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP. I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header. I ...
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
f5gurunotCirrus
CirrusJust ran the following and not getting connection reset anymore.
tmsh create ltm profile tcp tcp_opt tcp-options "{28 first}"However, still not seeing the Client IP.
Also, tried changing the HTTP_REQUEST to:
when HTTP_REQUEST {
if {$proto} {
HTTP::header insert X-Forwarded-Proto https
}
else {
HTTP::header insert X-Forwarded-Proto http
}
if { [info exists optaddr] } {
HTTP::header insert X-Forwarded-For $optaddr
}
}
xuwen
Cumulonimbus
Cumulonimbuscan you insert a code below "set opt28 [TCP::option get 28]"
log local0. "tcp option 28 length is [string length $opt28]"and show the log give me, tail -f /var/log/ltm
- f5gurunot
Feb 2 19:58:26 bigip01.web.test.com info tmm3[12700]: Rule /Common/Akamai_Opt28 <CLIENT_ACCEPTED>: tcp option 28 length is 0
- xuwen
https://clouddocs.f5.com/api/irules/TCP__option.html
tcp option 28 length is 0, It indicates that Akamai did not send the message with option 28 to F5,so below irules can not exec
if { [string length $opt28] == 5 } { binary scan $opt28 c ver if { $ver != 1 } { log local0. "Unsupported Akamai version: $ver" } else { set optaddr [IP::addr parse -ipv4 $opt28 1] } }cause variable optaddr is non-existent, so The action code that causes the insertion of XFF will not be executed
if { [info exists optaddr] } { HTTP::header insert X-Forwarded-For $optaddr }- f5gurunot
Thanks, appreciate your help! That's what I was thinking as soon as I saw that. Will see what Akamai says.