Forum Discussion

Cirrus

Mar 23, 2017

X-Forwarded-For through proxy and F5

My organization recently got the ASM module when they purchased a pair of 5250Vs. I've never used ASM before and we don't have anyone in our organization that has either, so I'm learning on the fly. ...

Nimbostratus

Mar 27, 2017

Hi,

Okay, I think that might be because that is from one of your proxies that already inserts XFF, correct? I hinted earlier that you might need to adjust the behavior per client(or proxy) IP. I might have some bad indentation here but this is something to the idea-

when HTTP_REQUEST {

 if { [IP::addr [IP::client_addr] equals IP_PROXY_THAT_ALREADY_INSERT_XFF/CIDR] } { 
   we know this proxy already inserts XFF, so dont do anything but load balancer
   pool [LB::server pool]

} else {
    insert client IP to add visibility after f5 SNAT
     set XFF [IP::remote_addr]
     HTTP::header replace "X-Forwarded-For" $XFF

     }

}

also if the proxies are sending multiple http requests per connection you may need to enable oneconnect to get your iRule to work correctly.

Let me know how your ssldump goes...

Scott123456789
Cirrus
Mar 27, 2017
I'm sorry, but I don't follow the logic here. I'm new to this, so I'm sure it's me, but the traffic sourcing from a proxy is the traffic I can't see the client IP on. If that proxy is inserting an XFF and it is giving me the proxy IP in that XFF, why would I do nothing to that? I'd think I'd want to determine if there is a second XFF value that I'd expect to be the original client IP.
Soda_Cup_148395
Nimbostratus
Mar 27, 2017
"If that proxy is inserting an XFF and it is giving me the proxy IP in that XFF, why would I do nothing to that?"

because the XFF for the true client is already in place, so we need to do nothing, the web servers can see this. isn't the goal that the servers can see the client IP after any SNAT?
Scott123456789
Cirrus
Mar 28, 2017
If the XFF for the true client was in place, wouldn't I see it in the header? I don't see when I look at traffic on the F5, so I don't think it is in place.
Scott123456789
Cirrus
Mar 28, 2017
Although I did just realize one misunderstanding. I don't necessarily need the servers in the pool to get the original client IP from XFF. I really want the F5 to see the original client IP, mainly for troubleshooting purposes. For example if a user is having a problem from a site behind a proxy, I want to be able to isolate their traffic from the rest of the traffic that comes from that proxy.
Scott123456789
Cirrus
Mar 28, 2017
Thank you for your help on this. I truly appreciate it.
Soda_Cup_148395
Nimbostratus
Mar 28, 2017
no problem

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

X-Forwarded-For through proxy and F5

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

Extracting X-Forwarded-For in Node.js

TCP Option 28 X-Forwarded-For Header

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

X-Forwarded-For Log Filter for Windows Servers

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS