X Forwarded For Single Header Insert

Deb_Allen_18 · ‎18-Mar-2015

Problem this snippet solves:

Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP HTTP profile option appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to Section 4.2 of RFC2616. F5 Networks Product Development is tracking a Request for Enhancement as CR107639 for BIG-IP to instead append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule like this one instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For: header.

Code :

when HTTP_REQUEST {
  if {[HTTP::header exists X-Forwarded-For]}{
      HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]"
  } else {  
      HTTP::header insert X-Forwarded-For [IP::client_addr]
  }
}

Juraj · ‎21-Mar-2017

The HTTP::header page says about

HTTP::header replace  []

the following:

¬†

Replaces the value of the last occurrence of the header named with the string . This command performs a header insertion if the header was not present. If there are multiple instances of the header, only the last instance is replaced.

¬†

Just wondering, wouldn't it be safer to remove all existing instances of

X-Forwarded-For

first, and then insert our own? That would make sure there's really only one instance of

X-Forwarded-For

passed to the back-end web application:

¬†

when HTTP_REQUEST {
    HTTP::header remove X-Forwarded-For
    HTTP::header insert X-Forwarded-For [IP::client_addr]
}

ooo_226278 · ‎17-May-2017

Thank you for a clean solution!

DevCentral

X Forwarded For Single Header Insert