What is HTTP Part V - HTTP Profile Basic Settings

In the first four parts of this series on HTTP, we laid the foundation for understanding what’s to come. In this article, we’ll focus on the basic settings in the BIG-IP HTTP profile. Before we dive ...
Updated Jun 06, 2023
Version 2.0
application delivery
BIG-IP
http
series-what-is-http
TMOS
Brian_Thompson's avatar
Brian_Thompson
Icon for Nimbostratus rankNimbostratus
Oct 13, 2017

Thanks Jason- my scenario was a bit of a loaded question, maybe you can play with this in your lab and append the article.

 

a. XFF headers used to track ClientIP, and used for WhiteListing (i.e, ASM, downstream servers, etc)

 

b. Forged XFF headers trigger whitelist logic, allowing an attacker to bypass policy or iRules

 

c. hundreds of VIPs- loading an iRule with a workaround is tedious and messy

 

d. Upon research, it appears that "Accept XFF" is the intended setting in the HTTP profile, with this unchecked, the XFF headers that may exist (or may be forged) would be dropped

 

e. Insert XFF puts a proper, trusted/valid XFF header in place

 

In my testing and observation, the Accept XFF feature does not accomplish this- it seems to only apply to the statistics tracking validating the XFF header as a legitimate clientIP- is this oversight on PD's part? Why is there not a simple setting to drop any pre-existing inbound XFF headers so this can be applied to groups of VIP's via profiles