Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

 

Description

If you have a Proxy in front of the BIG-IP and all the client IP are source Natted, You can still restrict access to the Virtual if the client IP address is inserted by the proxy as HTTP Header X-Forwarder-For

Environment

  • iRule
  • LTM

Cause

This is a example iRule with datagroup to restrict access to a Virtual when the client IP address is inserted on the HTTP Header "X-Forwarder-For"

Recommended Actions

when HTTP_REQUEST {
if { [matchclass [HTTP::header "X-Forwarded-For"] equals clients_dg] } {
   set xffHeader "[HTTP::header X-Forwarded-For]"
   log local0. "X-Forwarded-For IP dropped $xffHeader"
drop

}
}

ltm data-group internal clients_dg {
    records {
        10.1.1.51/32 { }
        10.1.1.79/32 { }
        52.100.100.100/32 { }   <--------!!!
    }
    type ip
}​

In the above example Client coming from a public IP [52.100.100.100] address is source natted by the proxy in front of the BIG-IP. The proxy inserts a HTTP header "X-Forwarded-For".

The above example iRule uses data-group to parse the list of blocked IP addresses.

The BIG-IP will log a message on the /var/log/ltm file as below:

Mar 8 10:48:04 BigIP-UnitE-TMOS-15.test.local info tmm3[12003]: Rule /Common/xff-drop <HTTP_REQUEST>: X-Forwarded-For IP dropped 52.100.100.100

 

Additional Information

None
Published Mar 14, 2023
Version 1.0
security

1 Comment

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Mar 16, 2023

    What about if the X-Forwarder-For has multiple IP addresses as there were several proxy devices that added an IP address to the header with "," for example "1.1.1.1, 2.2.2.2"? How can you match on the first IP address in the XFF header?