For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 11, 2016
Solved

Universal Persistence with X-forwarder

Hi Experts   Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...
application delivery
cloud
iRules
LTM
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 20, 2016

    A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

     

    when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

     

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 22, 2016

Hi Yann

 

Thanks. Got it. Working now. What is the difference between persist add uie $clientip under HTTP_RESPONSE and persist add uie $clientip under HTTP_REQUEST?

 

The x-forwarded is supposed to come in http-request packet.

 

Regards,

 

Sumanta.

 

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 22, 2016
    in the request it's just "persist uie" not "persist add uie". in the response you add a persistence record. in the request, you are doing a lookup of the persistence
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Jun 23, 2016
    Hi Yann Thanks. I can see under iRule statistics, that HTTP_REQUEST=0 and HTTP_RESPONSE=62. However, there are no failures or aborts. I was hoping that request counter will be more since I am extracting real IP address from x-forwarded value and using it to create persistence. In case it is not present in the http packet, then normal source IP would be used. Is it okay or do I need to swap the "persist uie" and "persist add uie"
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 23, 2016
    Hi, it can be a bug on the statistics. I already noticed that. Do you have logs in the ltm log file regarding the log command you set in the http request event ?
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Jun 23, 2016
    Hi Yann I think you are right. Logs show HTTP_REQUEST. See below. Rule /Common/iRule_xff_src : 82.132.198.20:49182: XFF: 10.4.0.6
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Jul 19, 2016

    Hello Yann

     

                I used this code in live network and am seeing it for two weeks now. It simply works perfectly every time. Thanks for your magic code !

    Regards,

     

    Sumanta.