Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures. You can associate a BIG-I...
Published Oct 24, 2017
Version 1.0
BIG-IP
http
security
spoof
x-forwarded-for
PSilva's avatar
Ret. Employee
Technical writer, evangelist, speaker, video host, story teller and overall clever guy. Bringing the slightly theatrical and fairly technical together, I train, write, speak, along with overall evangelism. Highly technical information security professional with social media skills who has also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.
View Profile
PSilva's avatar
Ret. Employee
Technical writer, evangelist, speaker, video host, story teller and overall clever guy. Bringing the slightly theatrical and fairly technical together, I train, write, speak, along with overall evangelism. Highly technical information security professional with social media skills who has also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.
View Profile
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Nov 24, 2017

Hi Peter,

 

A header replace action will replace just the first header instance (if exist) but leave additional instances (if exist too) untouched. The server may on the other hand evalute not the first but the last header and/or combine all header instances at once...

 

To securely sanitize incomming X-Forwarded-For headers, you have to remove (this will remove every single instance) and then insert the given header.

 

Cheers, Kai