Forum Discussion
NimbostratusWhere is route_domain in X-Forwarded-For iRule coming from and why iRule not always working?
Hi! We have some special application that uses the X-Forwarded-For header for IP authentication. The security/design issues with that "feature" aside...
The app is a bit particular where it only wants to see one IP address in the X-Forwarded-For header. We have an HTTP profile on to insert the XFF header. We also have SNAT off.
I have the following iRule that mostly works:
when HTTP_REQUEST {
if {[HTTP::header exists X-Forwarded-For]}{
HTTP::header remove X-Forwarded-For
HTTP::header insert X-Forwarded-For "[IP::client_addr]"
}
}
I had tried to do a replace at first but that wasn't working for whatever reason (we're on 10.2.3 and I was wondering if that's an issue in itself). Anywho, the remove and insert works most of the time but every once and while I see this in the Apache logs behind in this VIP:
"1.2.3.4%1100, 1.2.3.4"
I'm recommending we smarten the app code up a bit to deal with multiple values in that header but my questions are:
-
What's up with the iRule not being applied all the time?
-
Where's the route_domain coming from?
-
And why's it inserting the same IP twice?
Thank you so much for reading and help/guidance you can provide!
-Matt
2 Replies
- Not an answer, but adding some logging to the irule, perhaps with more details of the incoming session would allow you to search through the ltm logs and try to isolate the criteria for when this occurs.
JGCumulonimbus
How about:
when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header remove X-Forwarded-For } HTTP::header insert X-Forwarded-For "[IP::client_addr]" }and I am really surprised that you have so many route domains configured and it's good to know that RD works on scale!
