Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Mar 23, 2017

X-Forwarded-For through proxy and F5

My organization recently got the ASM module when they purchased a pair of 5250Vs. I've never used ASM before and we don't have anyone in our organization that has either, so I'm learning on the fly. ...
ASM Advanced WAF
security
x-forwarded-for
Soda_Cup_148395's avatar
Soda_Cup_148395
Icon for Nimbostratus rankNimbostratus

Hi,

Okay, I think that might be because that is from one of your proxies that already inserts XFF, correct? I hinted earlier that you might need to adjust the behavior per client(or proxy) IP. I might have some bad indentation here but this is something to the idea-

when HTTP_REQUEST {

 if { [IP::addr [IP::client_addr] equals IP_PROXY_THAT_ALREADY_INSERT_XFF/CIDR] } { 
   we know this proxy already inserts XFF, so dont do anything but load balancer
   pool [LB::server pool]

} else {
    insert client IP to add visibility after f5 SNAT
     set XFF [IP::remote_addr]
     HTTP::header replace "X-Forwarded-For" $XFF

     }

}

also if the proxies are sending multiple http requests per connection you may need to enable oneconnect to get your iRule to work correctly.

Let me know how your ssldump goes...

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Mar 28, 2017

If the XFF for the true client was in place, wouldn't I see it in the header? I don't see when I look at traffic on the F5, so I don't think it is in place.