Forum Discussion
Universal persistence using header values for multiple client IPs.
Hi ajohnson,
here we go...
The iRule below uses the
CLIENT_ACCEPTED event to differentiate between client and backend connections. If a backend connection is identified, the submitted X-Forwarded-For header value (if exist) will be used to query and build the [persist] information. If the backend server does not send a X-Forwarded-For header the [IP::client_addr] of the backend system will be used to query and build the [persist] information. If a client connection is identified, the existing X-Forwarded-For headers will become sanitized (may contain untrusted information) and a new X-Forwarded-For header will be inserted based on the [IP::client_addr]. The client system will also use its [IP::client_addr] to to query and build the [persist] information.
when RULE_INIT {
set static::xff_persist_timeout 900 ; persist information timeout in seconds
}
when CLIENT_ACCEPTED {
if { ( [IP::client_addr] starts_with "1.2.3.4" )
or ( [IP::client_addr] starts_with "1.2.3.5" ) } then {
set trusted_xff_sender 1
} else {
set trusted_xff_sender 0
}
}
when HTTP_REQUEST {
if { $trusted_xff_sender } then {
if { [HTTP::header value "X-Forwarded-For"] ne "" } then {
persist uie [HTTP::header value "X-Forwarded-For"] $static::xff_persist_timeout
} else {
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
persist uie [IP::client_addr] $static::xff_persist_timeout
}
} else {
HTTP::header remove "X-Forwarded-For"
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
persist uie [IP::client_addr] $static::xff_persist_timeout
}
}
Note: To make this iRule work you have to make sure that your HTTP-Profile does not insert
headers. The insert will be done selectively by the provided iRule. In addition to that, you need to create a custom "Universal Persistence" profile, with the X-Forwarded-For
option selected (see config snippet below). This profile needs to be attached to your Virtual Server.Match Across Service
ltm persistence universal XFF_Persist {
app-service none
defaults-from universal
match-across-services enabled
rule none
}
Note: For further information regarding the
option you may read the solution article K5837. Match Across Service
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com