For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

parvez_70211's avatar
parvez_70211
Icon for Nimbostratus rankNimbostratus
Apr 10, 2017

Using X-Forwarded-for to block Clients based on URI information

I have task to block client IP's based on URI information but the catch here is that the actual IP's are present on HTTP header (X-forwarded-For) which are all coming from Akamai. Eg: I have approx...
application delivery
iRules
rsacheen_310098's avatar
rsacheen_310098
Icon for Nimbostratus rankNimbostratus
Apr 10, 2017

How do you like to modify your iRule? The code snippet you have provided looks fine syntax wise, but it blocks access from IP's in your AllowList. How about something like this:-

 

when HTTP_REQUEST {
  if { [HTTP::uri] equals "/en_US/HHCM" && !([IP::addr [IP::client_addr] equals AllowList]) } {
      log output
     reject
  } else {
      Send traffic to your desired server pool
  }
}

Just an example. Correct me if I misunderstood your query.

 

Connection from client IP's [IP::client_addr] that are not in your data group(AllowList) gets blocked.

 

  • parvez_70211's avatar
    parvez_70211
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2017

    But I would need to block actual client IP based on HTTP-X-Forwarded IP and not at [IP::client_addr]. So I would need to extract the IP present on the header first and then match against our allowed IP data group.

     

  • parvez_70211's avatar
    parvez_70211
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2017

    Connection from client IP's that are not in your data group(AllowList) gets blocked. - correct

     

  • rsacheen_310098's avatar
    rsacheen_310098
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2017

    This might help. Looks like something you are looking for. Have a look!

     

    https://devcentral.f5.com/s/feed/0D51T00006i7MAUSA2