X-Forwarded-For

Can you replace 'HTTP::header $header_name' with 'HTTP::header values $header_name' and retest?

Using this version of the rule with HTTP::header values on 9.4.0, I see a list of the X-Forwarded-For values:

when HTTP_REQUEST {
   set headers [HTTP::header names]
   log local0. "\$headers: $headers"
   foreach header_name $headers {
      log local0. "HTTP_header_DUMP [IP::client_addr] [IP::remote_addr] $header_name: [HTTP::header values $header_name] ([string length [HTTP::header $header_name]]) "
   }
}

Request:

GET /oxigames/home/index.jsp HTTP/1.0

Host: virtuefusion.ladbrokes.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-gb,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Cookie: FLAGS=en|en|uk|default|DECIMAL|0|GBP

Via: 1.1 vps.netassassins.com:8080 (squid/2.5.STABLE3)

X-Forwarded-For: 87.86.219.40

Cache-Control: max-age=259200

Connection: keep-alive

Log output:

HTTP_header_DUMP 192.168.101.248 192.168.101.248 X-Forwarded-For: 87.86.219.40 192.168.99.210 192.168.101.248 (15)

This is with XFF insert enabled on the HTTP profile. So 87.86.219.40 is the fake XFF value I sent in my request. 192.168.99.210 is my original client IP. 192.168.101.248 is the proxy server that the request transits before the BIG-IP.

Aaron