Forum Discussion

Jim_Stumbo's avatar
Jim_Stumbo
Icon for Altostratus rankAltostratus
Jul 01, 2021

Use x-forwarded-for to bypass authentication?

I am pretty new to all the irule stuff and the more advanced access policy stuff, so please be gentle on me.   What we are trying to do is when a connection is made to our F5, check the x-forw...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Jul 01, 2021

    Hi Jim,

    you could add this iRule

    when HTTP_REQUEST {
    if {[HTTP::header exists X-Forwarded-For]}{
        ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For]
    }
}

    It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.

    And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.

    I didn't test the iRule, let me know whether it works or not.

    KR

    Daniel

    EDIT: Typo in iRule

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

Hi Jim,

you could add this iRule

when HTTP_REQUEST {
    if {[HTTP::header exists X-Forwarded-For]}{
        ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For]
    }
}

It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.

And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.

I didn't test the iRule, let me know whether it works or not.

KR

Daniel

EDIT: Typo in iRule

Jim_Stumbo's avatar
Jim_Stumbo
Icon for Altostratus rankAltostratus
Jul 01, 2021

thank you very much. I will give this a shot.