Forum Discussion

veredgfbll's avatar
veredgfbll
Icon for Cirrus rankCirrus
Mar 10, 2024

xff and geolocation

If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM poli...
dos l7
geolocation
ltm policy
x-forwarded-for
xff
vnu83105's avatar
vnu83105
Icon for Nimbostratus rankNimbostratus
Mar 11, 2024

 

 

User

If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations?

 

If not with ltm policy, can this be done with an irule?

 

Using the X-Forwarded-For (XFF) header to determine the source IP address can be helpful, but the LTM policy itself won't have built-in functionality to directly recognize the geolocation of the IP addresses extracted from the XFF header. However, you can achieve this functionality with iRules.

 

Here's a general approach using an iRule:

 

Extract the client IP address from the XFF header.

Use a geolocation lookup service or database (e.g., MaxMind GeoIP) to determine the country associated with the extracted IP address.

Implement logic in the iRule to exclude requests coming from the specified country from the DoS L7 policy.

An iRule allows for more flexible and custom scripting, enabling you to manipulate traffic based on various conditions, including the XFF header and geolocation data. Below is a simplified example of how you might implement this:

 

tcl

Copy code

when HTTP_REQUEST {

    set xff_header [HTTP::header "X-Forwarded-For"]

    if { $xff_header ne "" } {

        # Extract the client IP address from the XFF header

        set client_ip [lindex [split $xff_header ","] 0]

        # Perform geolocation lookup for the client IP address

        set country [geo::ipcountry $client_ip]

        # Check if the request is coming from the excluded country

        if { $country eq "Excluded_Country_Code" } {

            # Exclude requests from the excluded country

            reject

            return

        }

    }

    # If not from the excluded country, continue processing the request

    # Add other logic or actions here

}

Replace "Excluded_Country_Code" with the appropriate country code for the country you want to exclude from the DoS L7 policy.

 

Keep in mind that implementing such logic can add complexity to your configuration, and you should thoroughly test and validate the iRule to ensure it behaves as expected and does not inadvertently block legitimate traffic. Additionally, consider the performance impact of using iRules,

 especially if they are processing a large volume of traffic.

 

 

 

 

  • veredgfbll's avatar
    veredgfbll
    Icon for Cirrus rankCirrus
    Mar 19, 2024

    Thank you very much. I will test this irule. I can already say that the LTM policy does not recognize geolocation from xff IPs, so this may be our only option.

    Thanks

    • veredgfbll's avatar
      veredgfbll
      Icon for Cirrus rankCirrus
      Mar 19, 2024

      I made some changes as I didn't find any command the was geo::ipcountry.

      when HTTP_REQUEST {
    set xff_header [HTTP::header "X-Forwarded-For"]
    if { $xff_header ne "" } {
        # Extract the client IP address from the XFF header
        set client_ip [lindex [split $xff_header ","] 0]
        # Check if the request is *not* coming from the excluded country
        if {!([whereis $client_ip country] equals "country_code") } {
            # enable dos profile
            DOSL7::enable dos
            #return
		} else {
			DOSL7::disable
        }
    }
   }

      I need to test it....
      Will update.