Forum Discussion
Jim_Stumbo
Altostratus
AltostratusUse x-forwarded-for to bypass authentication?
I am pretty new to all the irule stuff and the more advanced access policy stuff, so please be gentle on me.
What we are trying to do is when a connection is made to our F5, check the x-forwarded-for field and if it is a certain IP address range, then bypass the authentication in the access policy. We have users and systems that are making this connection and we want to users to have to do the two factor authentication we have in place, but the systems that make this connection cannot do the two factor authentication. So we want them to be able to skip over that. We are taking precautions on our WAF to prevent the spoofing of the x-forwarded-for header, so we should be OK there.
Any suggestions on how to do this? I am assuming, from what I have read... that I can create an irule that checks the x-forwarded-for and sets a variable depending on if it is in the range that we know is from the systems directly, and then somehow in the access policy, check for that variable, and if it is a certain value, go to success directly bypassing the SAML auth, but if it is not that value, then they go to the authentication to do their two factor auth.
Thanks for any help.
Jim
Hi Jim,
you could add this iRule
when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For] } }It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.
And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.
I didn't test the iRule, let me know whether it works or not.
KR
Daniel
EDIT: Typo in iRule
- Daniel_Wolf
MVP
Hi Jim,
you could add this iRule
when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For] } }It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.
And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.
I didn't test the iRule, let me know whether it works or not.
KR
Daniel
EDIT: Typo in iRule
Jim_Stumbothank you very much. I will give this a shot.
- Jim_Stumbo
It does not look like the iRule works. When I apply it, the website does not come up at all. I have not done the access policy part yet, but just doing the iRule makes it not respond. I am guessing that maybe by changing the clientIP, it is trying to respond to the client directly, instead of going back through the WAF?
- Daniel_Wolf
See this diagram: https://devcentral.f5.com/s/articles/iRule-Event-Order-Flowchart
You could try and replace the HTTP_REQUEST with ACCESS_SESSION_STARTED.
Sorry.... I really should have tested the iRule.