Forum Discussion

Jim_Stumbo's avatar
Jim_Stumbo
Icon for Altostratus rankAltostratus
Jul 01, 2021

Use x-forwarded-for to bypass authentication?

I am pretty new to all the irule stuff and the more advanced access policy stuff, so please be gentle on me.   What we are trying to do is when a connection is made to our F5, check the x-forw...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Jul 01, 2021

    Hi Jim,

    you could add this iRule

    when HTTP_REQUEST {
    if {[HTTP::header exists X-Forwarded-For]}{
        ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For]
    }
}

    It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.

    And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.

    I didn't test the iRule, let me know whether it works or not.

    KR

    Daniel

    EDIT: Typo in iRule

Jim_Stumbo's avatar
Jim_Stumbo
Icon for Altostratus rankAltostratus

It does not look like the iRule works. When I apply it, the website does not come up at all. I have not done the access policy part yet, but just doing the iRule makes it not respond. I am guessing that maybe by changing the clientIP, it is trying to respond to the client directly, instead of going back through the WAF?

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Jul 01, 2021

See this diagram: https://devcentral.f5.com/s/articles/iRule-Event-Order-Flowchart

 

You could try and replace the HTTP_REQUEST with ACCESS_SESSION_STARTED.

Sorry.... I really should have tested the iRule.