Forum Discussion

jpavel's avatar
jpavel
Icon for Nimbostratus rankNimbostratus
Jun 09, 2008

X-Forwarded-For persistense

Hello All,

 

 

unfortunately I am not that iRule professional and therefore I would like to ask you if anybody can help me.

 

I would like to create an iRule for a customer which would like to inspect the X-Forwarded-For header for universal persistence.

 

Because of security reasons our customer would like to erase the X-Forwarded-For header as soon as the universal persistense took place.

 

Is it possible to create such an iRule and has anybody an example how it has to look like?

 

Unfortunately I am not sure if an iRule can handle a header inspection and a header erase in the same iRule definition.

 

Has anybody tried this before?

 

 

Thanks in advance for your help.

 

 

Regards

 

 

Joerg

 

application delivery
dev
devops
iRules
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Jun 09, 2008
    Hi,

    you should be able to do the job by doing first the persist uie and then the HTTP::header remove command

    Here are some links that will help you set it up, should be easy :

    persist uie: Click here

    read/remove a HTTP header: Click here

    should look like this: 

     
 when HTTP_REQUEST { 
   persist uie [HTTP::header "X-Forwarded-For"] 
   HTTP::header remove "X-Forwarded-For" 
 }

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 09, 2008
    If the end customer is concerned about the validity of the XFF header to the point they don't want to send it to the server, why would they want to use it for persistence? Are you able to use cookie insert persistence instead? If you're concerned about clients tampering with the cookie, you could encrypt it. Else, is source address persistence an option?

     

     

    Aaron
  • jpavel's avatar
    jpavel
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2008
    Hi nmenant,

     

     

    thanks for your quick reply and your example.

     

    I will give it a try.

     

     

    hoolio: I tried to setup cookie insert mode, but in front of the LTM is a farm of webwashers proxies and behind the LTM a Symantec Security Gateway (proxy). Somehow one of these two devices is stripping out the cookie and it always fall back to simple persistence.

     

    Unfortunately source ip persistence is not an option because the webwasher is proxying the requests.

     

     

    Regards

     

     

    Joerg

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2008
    Cookie insert persistence should work in this scenario if you enable OneConnect on the VIP:

     

     

    OneConnect? For my iRule?

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=114

     

     

    Aaron
  • jpavel's avatar
    jpavel
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2008
    Thanks Aaron.

     

    I will be on that customer side hopefully next week and will see if the OneConnect Profile will help us in this situation.

     

    As I remember we have had big problems on a ssl wilcard virtual server as soon as we enabled persistense. When we enabled persistense (it doesn´t matter what kind of persistense) the internal browsing clients got no https responses from external servers.

     

     

    Regards

     

     

    Joerg