X Forwarded For Single Header Insert

Problem this snippet solves:

Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP HTTP profile option appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to Section 4.2 of RFC2616. F5 Networks Product Development is tracking a Request for Enhancement as CR107639 for BIG-IP to instead append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule like this one instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For: header.

Code :

when HTTP_REQUEST {
  if {[HTTP::header exists X-Forwarded-For]}{
      HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]"
  } else {  
      HTTP::header insert X-Forwarded-For [IP::client_addr]
  }
}
Published Mar 18, 2015
Version 1.0
application delivery
content manipulation
devops
iRules
  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Mar 22, 2017

    The HTTP::header page says about 

    HTTP::header replace  []
    the following:

     

    Replaces the value of the last occurrence of the header named with the string . This command performs a header insertion if the header was not present. If there are multiple instances of the header, only the last instance is replaced.

     

     

    Just wondering, wouldn't it be safer to remove all existing instances of 

    X-Forwarded-For
    first, and then insert our own? That would make sure there's really only one instance of 
    X-Forwarded-For
    passed to the back-end web application:

     

    when HTTP_REQUEST {
    HTTP::header remove X-Forwarded-For
    HTTP::header insert X-Forwarded-For [IP::client_addr]
}