For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus
Feb 02, 2023
Solved

TCP Option 28 X-Forwarded-For Header

Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP.  I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header.  I ...
application delivery
  • xuwen's avatar
    xuwen
    Feb 03, 2023

    when CLIENT_DATA {
    set opt28 [TCP::option get 28]
    if { [string length $opt28] == 4 } {
    binary scan $opt28 H8 addr
    scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
    set optaddr "$ip1.$ip2.$ip3.$ip4"
    log local0. "optaddr is $optaddr"
    log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
    }
    }

xuwen's avatar
xuwen
Icon for Cumulonimbus rankCumulonimbus
Feb 03, 2023

The simplest way is to perform tcpdump on the outside vlan(clientside) of F5. Wireshark observes whether have tcp option 28 field.

For some company network, F5 only performs tcp forwarding, F5 performs tcp option 254 insertion, pool members nginx performs SSL offload and reads the value of F5's tcp option field, and then inserts it into HTTP XFF header. One of the pits is:
Nginx downloads the open-source TOA module to read the value of tcp option, which can only be read in the tcp three handshakes. Unlike F5, F5 is convenient to directly use the TCP:: option function.

F5 must be in SERVER_INIT event in V14+ version, execute tcp option 254 insertion. If F5 is lower than V14, nginx will be unable to read the value of tcp option 254

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus
Feb 03, 2023

We are on version 17, will get a tcpdump.