Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header
Description
If you have a Proxy in front of the BIG-IP and all the client IP are source Natted, You can still restrict access to the Virtual if the client IP address is inserted by the proxy as HTTP Header X-Forwarder-For
Environment
- iRule
- LTM
Cause
This is a example iRule with datagroup to restrict access to a Virtual when the client IP address is inserted on the HTTP Header "X-Forwarder-For"
Recommended Actions
when HTTP_REQUEST {
if { [matchclass [HTTP::header "X-Forwarded-For"] equals clients_dg] } {
set xffHeader "[HTTP::header X-Forwarded-For]"
log local0. "X-Forwarded-For IP dropped $xffHeader"
drop
}
}
ltm data-group internal clients_dg {
records {
10.1.1.51/32 { }
10.1.1.79/32 { }
52.100.100.100/32 { } <--------!!!
}
type ip
}
In the above example Client coming from a public IP [52.100.100.100] address is source natted by the proxy in front of the BIG-IP. The proxy inserts a HTTP header "X-Forwarded-For".
The above example iRule uses data-group to parse the list of blocked IP addresses.
The BIG-IP will log a message on the /var/log/ltm file as below:
Mar 8 10:48:04 BigIP-UnitE-TMOS-15.test.local info tmm3[12003]: Rule /Common/xff-drop <HTTP_REQUEST>: X-Forwarded-For IP dropped 52.100.100.100