Forum Discussion
TCP Option 28 X-Forwarded-For Header
- Feb 03, 2023
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
The simplest way is to perform tcpdump on the outside vlan(clientside) of F5. Wireshark observes whether have tcp option 28 field.
For some company network, F5 only performs tcp forwarding, F5 performs tcp option 254 insertion, pool members nginx performs SSL offload and reads the value of F5's tcp option field, and then inserts it into HTTP XFF header. One of the pits is:
Nginx downloads the open-source TOA module to read the value of tcp option, which can only be read in the tcp three handshakes. Unlike F5, F5 is convenient to directly use the TCP:: option function.
F5 must be in SERVER_INIT event in V14+ version, execute tcp option 254 insertion. If F5 is lower than V14, nginx will be unable to read the value of tcp option 254
We are on version 17, will get a tcpdump.
- xuwenFeb 03, 2023Cumulonimbus
Observe the clientside tcpdump file of F5 to see if there is a tcp option 28 field.
If not, check whether there is a firewall or other security cleaning equipment or The reverse proxy device in front of F5,It is better to restore iRules to a state without tcp option 28 and exec tcpdump command.
if wireshark pcap file has tcp option 28 field:
Because your iRules in CLIENT_ACCEPED event executed TCP:: collect command, I personally estimate that your tcp option 28 code should be placed in CLIENT_DATA event(personally advise, have not test in BIGIP VE environment)
when CLIENT_DATA { set opt28 [TCP::option get 28] log local0. "tcp option 28 length is [string length $opt28]" ........ }
- f5gurunotFeb 03, 2023Cirrus
with this:
when CLIENT_DATA {
set opt28 [TCP::option get 28]
log local0. “tcp option 28 length is [string length $opt28]”I see:
Feb 3 09:39:55 info tmm4[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: tcp option 28 length is 4with this:
when CLIENT_DATA { set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
log local0. “tcp option 28 length is [string length $opt28]”
binary scan $opt28 c ver
if { $ver != 1 } {
log local0. “Unsupported Akamai version: $ver”
} else {
set optaddr [IP::addr parse -ipv4 $opt28 1]
}
}I see:
Feb 3 09:47:48 info tmm[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: tcp option 28 length is 4
Feb 3 09:47:48 info tmm[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: Unsupported Akamai version: 76- f5gurunotFeb 03, 2023Cirrus
Akamai said the IP address forwarded in TCP Option28 is in HEX format and needs to be converted back to the decimal version...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com