Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Mar 31, 2022

XFF matching in data group not working for redirect

 

Hello everyone,

Can you help figure out what the issue is here. I have an iRule that uses the IP address or subnet as matching and determining if the connecting users are "internal/trusted" or external/non-trusted. If they connect from an environment where they match the data group via the datagroup, they need to get sent to the "/private/IDSearch" URI, otherwise, they get sent to "/public/IDSearch" area....

For some reason this is not working and all users, regardless if their IP matches the Datagroup are sent to the "/public/IDSearch" area. Rember, everyone lands on the root page (/public/IDSearch)...it's only when you match the data group via XFF will determine if you stay on the /public/IDSearch, or you get redirected to the /private/IDSearch page.

Please let me know what I am doing wrong and why this is not working...any help with troubleshooting or code recommendation would be helpful. 

Thank you!

 

Data Group:  INTERNAL-USERS-XFF   

Contains the outside of the FW IP since users are going out, then sent to a CDN where they proxy/insert the XFF header, then back into the data center.

 

 

when HTTP_REQUEST {
if {[HTTP::has_responded] } {return}
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
        if { ([class match -- $CHECK_IP eq INTERNAL-USERS-XFF]) } {
                if { [HTTP::uri] contains "/public/IDSearch*" } {
                    HTTP::redirect "https://[HTTP::host]/private/IDSearch" 
     log local0. "IP Address: $CHECK_IP Matching INTERNAL-USERS-XFF => Redirecting to /private/IDSearch"
                    return
                } else {
                    HTTP::redirect "https://[HTTP::host]/public/IDSearch" 
        } 
    }
}

 

 

application delivery
  • oscarnet's avatar
    oscarnet
    Icon for Altocumulus rankAltocumulus
    Mar 31, 2022

    HI ant77

    I modified your irule slightly,

    Adjust the comparison string to case-insensitive comparison,

    Basically, the function you want can be achieved at present

     

    when HTTP_REQUEST {
    if {[HTTP::has_responded] } {return}
        set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
		#log local0. "IP Address: $CHECK_IP"
        if { ([class match -- $CHECK_IP eq INTERNAL-USERS-XFF]) } {
		    #log local0. "match IP Address: $CHECK_IP"
            if { ([string tolower [HTTP::uri]] contains "/public/idsearch" ) } {
                HTTP::redirect "https://[HTTP::host]/private/IDSearch" 
                log local0. "IP Address: $CHECK_IP Matching INTERNAL-USERS-XFF => Redirecting to /private/IDSearch"
                return
            } else {
                HTTP::redirect "https://[HTTP::host]/Apublic/IDSearch" 
				#log local0. "Not match IP Address: $CHECK_IP"
        } 
    }
}

     

     

    I hope I can help you

    have a good day !!!

     

    • ant77's avatar
      ant77
      Icon for Cirrostratus rankCirrostratus
      Mar 31, 2022

      Hi oscarnet,

      Let me change that and see if that will fix the issue. I have a feeling it has something to do with the URI matching, and if case sensitivity has something to do with it...Is there any thispecific logs to look for to see if this does not work or if the issue is a matching URI issue?

      Thank you!