Prevent a Spoof of an X-Forwarded-For Request with BIG-IP
Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures.
You can associate a BIG-IP local traffic policy to prevent a spoof of an x-forwarded-for request. This is where bad actors might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system.
Pre-reqs:
- We’re using BIG-IP v12 and,
- We already have a Virtual Server configured to manage HTTP traffic with an HTTP profile assigned to it.
Let’s log into a BIG-IP
The first thing we’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.
This takes us to the create policy config screen. Type a unique Policy Name like PreventSpoofOfXFF and optionally, add a description. Leave the Strategy at the default of Execute First matching rule. Click Create Policy.
We’re then directed to the draft policy’s General Properties page and here we can create the rules for the policy. In the Rules area, click Create.
We’ll give the rule a unique name like, StopSpoof and the first condition we need to configure is to match all HTTP traffic with the matching strategy. This means we can use the default setting of All Traffic. Then we’ll tell the policy what to do when the All Traffic condition matches. The new action is to Replace the http header named X-forwarded-for with the value of tcl:[IP::client_addr] (to return the client IP address of the connection) at the request time. Click Save.
Also, save the draft.
And then select the box next to the draft policy and click Publish.
We can now associate the published policy with a virtual server that we’re using to manage http traffic. On the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.
On the menu bar click Resources and next to Policies click Manage.
Move PreventSpoofOfXFF to the Enabled list and click Finished.
Now, the virtual server with the PreventSpoofOfXFF local traffic policy will prevent any HTTP traffic that attempts to spoof an x-forwarded-for request.
Congrats! You’ve easily added additional security to your local traffic policy! You can also watch the full video demo thanks to our TechPubs team.
ps
Hi Peter,
A header replace action will replace just the first header instance (if exist) but leave additional instances (if exist too) untouched. The server may on the other hand evalute not the first but the last header and/or combine all header instances at once...
To securely sanitize incomming X-Forwarded-For headers, you have to remove (this will remove every single instance) and then insert the given header.
Cheers, Kai
- jmusci_327228Nimbostratus
Can apply it to all VS doesn't need Xff ?
- amintejCirrus
Interesting security tip,but before applying I think it is important to consider whether the backend apps are using X-Forwarder-For header, in case yes, apps might need reconfiguration to the new value tcl:[IP::client_addr].