For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexJ's avatar
AlexJ
Icon for Nimbostratus rankNimbostratus
Feb 08, 2017

Universal persistence using header values for multiple client IPs.

Hello all,   I require universal persistence based upon a XFF header value, but for any source IP. The scenario is that an initial client connection hits the F5 and is load balanced to node A (the...
application delivery
cloud
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 09, 2017

Hi ajohnson,

here we go...

The iRule below uses the 

CLIENT_ACCEPTED
event to differentiate between client and backend connections. If a backend connection is identified, the submitted 
X-Forwarded-For
header value (if exist) will be used to query and build the 
[persist]
information. If the backend server does not send a 
X-Forwarded-For
header the 
[IP::client_addr]
of the backend system will be used to query and build the 
[persist]
information. If a client connection is identified, the existing 
X-Forwarded-For
headers will become sanitized (may contain untrusted information) and a new 
X-Forwarded-For
header will be inserted based on the 
[IP::client_addr]
. The client system will also use its 
[IP::client_addr]
to to query and build the 
[persist]
information.

when RULE_INIT {
    set static::xff_persist_timeout 900 ; persist information timeout in seconds
}
when CLIENT_ACCEPTED {
    if { ( [IP::client_addr] starts_with "1.2.3.4" )
      or ( [IP::client_addr] starts_with "1.2.3.5" ) } then {
        set trusted_xff_sender 1
    } else {
        set trusted_xff_sender 0
    }
}
when HTTP_REQUEST {
    if { $trusted_xff_sender } then {
        if { [HTTP::header value "X-Forwarded-For"] ne "" } then {
            persist uie [HTTP::header value "X-Forwarded-For"] $static::xff_persist_timeout 
        } else {
            HTTP::header insert "X-Forwarded-For" [IP::client_addr]
            persist uie [IP::client_addr] $static::xff_persist_timeout 
        }
    } else {
        HTTP::header remove "X-Forwarded-For"
        HTTP::header insert "X-Forwarded-For" [IP::client_addr]
        persist uie [IP::client_addr] $static::xff_persist_timeout
    }
}

Note: To make this iRule work you have to make sure that your HTTP-Profile does not insert 

X-Forwarded-For
headers. The insert will be done selectively by the provided iRule. In addition to that, you need to create a custom "Universal Persistence" profile, with the 
Match Across Service
option selected (see config snippet below). This profile needs to be attached to your Virtual Server.

ltm persistence universal XFF_Persist {
    app-service none
    defaults-from universal
    match-across-services enabled
    rule none
}

Note: For further information regarding the 

Match Across Service
option you may read the solution article K5837.

Cheers, Kai