Traffic policy not evaluating TCL commands

Hi Parknook,

I share your opinion, to not use the HTTP profile "Insert X-Forwarded-For" option, when security is somehow a concern.

But keep in mind that a

replace

header action is also not the right choice to sanitize every existing instance of

X-Forwarded-For

from the received HTTP request. The

replace

action would only modify the last occurrence of

X-Forwarded-For

but your application may use the first one. So a combination of

remove

and

insert

is the most secure syntax you can pull of...

To be able to set those headers with LTM Policies prior to v12, you may pass a

[HTTP::header remove "X-Forwarded-For"]

and

[HTTP::header insert "X-Forwarded-For" [IP::client_addr]]

syntax using the TCL policy action. Well, the TCL action is originally not intended to manipulate request information, but works like a charm and also supports a rich TCL substitution...

ltm policy Insert_X-Forwarded-For {
    requires { http }
    rules {
        Rule1 {
            actions {
                0 {
                    tcl
                    set-variable
                    expression "[HTTP::header remove \"X-Forwarded-For\"]"
                    name x_forward_for
                }
                1 {
                    tcl
                    set-variable
                    expression "[HTTP::header insert \"X-Forwarded-For\" [IP::client_addr]]"
                    name x_forward_for
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

Note: Personally I wouldn't recommend to use a LTM Policy to issue native TCL commands. But if you require a pure LTM Policy based configuration, then this approach would be one of the last options before migrating to v12...

Cheers, Kai