Showing results for 
Search instead for 
Did you mean: 
Historic F5 Account

Problem this snippet solves:

Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP HTTP profile option appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to Section 4.2 of RFC2616. F5 Networks Product Development is tracking a Request for Enhancement as CR107639 for BIG-IP to instead append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule like this one instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For: header.

Code :

  if {[HTTP::header exists X-Forwarded-For]}{
      HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]"
  } else {  
      HTTP::header insert X-Forwarded-For [IP::client_addr]

The HTTP::header page says about HTTP::header replace [] the following:


Replaces the value of the last occurrence of the header named with the string . This command performs a header insertion if the header was not present. If there are multiple instances of the header, only the last instance is replaced.



Just wondering, wouldn't it be safer to remove all existing instances of X-Forwarded-For first, and then insert our own? That would make sure there's really only one instance of X-Forwarded-For passed to the back-end web application:


when HTTP_REQUEST { HTTP::header remove X-Forwarded-For HTTP::header insert X-Forwarded-For [IP::client_addr] }

Thank you for a clean solution!


Version history
Last update:
‎18-Mar-2015 16:32
Updated by: