Forum Discussion
f5gurunot
Cirrus
CirrusTCP Option 28 X-Forwarded-For Header
Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP. I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header. I ...
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
f5gurunotCirrus
CirrusAkamai said the IP address forwarded in TCP Option28 is in HEX format and needs to be converted back to the decimal version...
xuwen
Cumulonimbus
Cumulonimbuswhen CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
- f5gurunot
Thank you!! This was the solution...
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr “%2x%2x%2x%2x” ip1 ip2 ip3 ip4
set optaddr “$ip1.$ip2.$ip3.$ip4"
log local0. “optaddr is $optaddr”
log local0. “ip addr parse result is [IP::addr parse -ipv4 $opt28]”
}
}
when HTTP_REQUEST {
if { [info exists optaddr] } {
HTTP::header insert X-Forwarded-For $optaddr
}
}- xuwen
the result of [string length [TCP::option get 28] == 0,similar to the phenomenon of using TOA moudle in nginx to read the tcp option 254(F5 in SERVER_CONNECTED event insert tcp option),
Akamai's insert tcp option 28 is in the tcp data, Akamai's technology is not powerful than F5(V14+) in SERVER_INIT event inserts three times tcp options 28 into the (tcp syn, tcp ack, tcp data) process