XFF matching in data group not working for redirect
Hello everyone,
Can you help figure out what the issue is here. I have an iRule that uses the IP address or subnet as matching and determining if the connecting users are "internal/trusted" or external/non-trusted. If they connect from an environment where they match the data group via the datagroup, they need to get sent to the "/private/IDSearch" URI, otherwise, they get sent to "/public/IDSearch" area....
For some reason this is not working and all users, regardless if their IP matches the Datagroup are sent to the "/public/IDSearch" area. Rember, everyone lands on the root page (/public/IDSearch)...it's only when you match the data group via XFF will determine if you stay on the /public/IDSearch, or you get redirected to the /private/IDSearch page.
Please let me know what I am doing wrong and why this is not working...any help with troubleshooting or code recommendation would be helpful.
Thank you!
Data Group: INTERNAL-USERS-XFF
Contains the outside of the FW IP since users are going out, then sent to a CDN where they proxy/insert the XFF header, then back into the data center.
when HTTP_REQUEST {
if {[HTTP::has_responded] } {return}
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
if { ([class match -- $CHECK_IP eq INTERNAL-USERS-XFF]) } {
if { [HTTP::uri] contains "/public/IDSearch*" } {
HTTP::redirect "https://[HTTP::host]/private/IDSearch"
log local0. "IP Address: $CHECK_IP Matching INTERNAL-USERS-XFF => Redirecting to /private/IDSearch"
return
} else {
HTTP::redirect "https://[HTTP::host]/public/IDSearch"
}
}
}