cancel
Showing results for 
Search instead for 
Did you mean: 
Deb_Allen_18
Historic F5 Account

Problem this snippet solves:

Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP HTTP profile option appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to Section 4.2 of RFC2616. F5 Networks Product Development is tracking a Request for Enhancement as CR107639 for BIG-IP to instead append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule like this one instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For: header.

Code :

when HTTP_REQUEST {
  if {[HTTP::header exists X-Forwarded-For]}{
      HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]"
  } else {  
      HTTP::header insert X-Forwarded-For [IP::client_addr]
  }
}
Comments
Juraj
Cirrus
Cirrus

The HTTP::header page says about HTTP::header replace [] the following:

 

Replaces the value of the last occurrence of the header named with the string . This command performs a header insertion if the header was not present. If there are multiple instances of the header, only the last instance is replaced.

 

 

Just wondering, wouldn't it be safer to remove all existing instances of X-Forwarded-For first, and then insert our own? That would make sure there's really only one instance of X-Forwarded-For passed to the back-end web application:

 

when HTTP_REQUEST { HTTP::header remove X-Forwarded-For HTTP::header insert X-Forwarded-For [IP::client_addr] }
ooo_226278
Nimbostratus
Nimbostratus

Thank you for a clean solution!

 

Version history
Last update:
‎18-Mar-2015 16:32
Updated by:
Contributors