cancel
Showing results for 
Search instead for 
Did you mean: 
PSilva
Community Manager
Community Manager

Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures.

You can associate a BIG-IP local traffic policy to prevent a spoof of an x-forwarded-for request. This is where bad actors might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system.

Pre-reqs:

  • We’re using BIG-IP v12 and,
  • We already have a Virtual Server configured to manage HTTP traffic with an HTTP profile assigned to it.

Let’s log into a BIG-IP

0151T000003d76dQAA.jpg

The first thing we’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.

0151T000003d76eQAA.jpg

This takes us to the create policy config screen. Type a unique Policy Name like PreventSpoofOfXFF and optionally, add a description. Leave the Strategy at the default of Execute First matching rule. Click Create Policy.

0151T000003d76fQAA.jpg

We’re then directed to the draft policy’s General Properties page and here we can create the rules for the policy. In the Rules area, click Create.

0151T000003d76gQAA.jpg

We’ll give the rule a unique name like, StopSpoof and the first condition we need to configure is to match all HTTP traffic with the matching strategy. This means we can use the default setting of All Traffic. Then we’ll tell the policy what to do when the All Traffic condition matches. The new action is to Replace the http header named X-forwarded-for with the value of tcl:[IP::client_addr] (to return the client IP address of the connection) at the request time. Click Save.

0151T000003d76hQAA.jpg

Also, save the draft.

0151T000003d76iQAA.jpg

And then select the box next to the draft policy and click Publish.

0151T000003d76jQAA.jpg

We can now associate the published policy with a virtual server that we’re using to manage http traffic. On the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.

0151T000003d76kQAA.jpg

On the menu bar click Resources and next to Policies click Manage.

0151T000003d76lQAA.jpg

Move PreventSpoofOfXFF to the Enabled list and click Finished.

0151T000003d76mQAA.jpg

Now, the virtual server with the PreventSpoofOfXFF local traffic policy will prevent any HTTP traffic that attempts to spoof an x-forwarded-for request.

Congrats! You’ve easily added additional security to your local traffic policy! You can also watch the full video demo thanks to our TechPubs team.

ps

Comments
amintej
Cirrus
Cirrus

Interesting security tip,but before applying I think it is important to consider whether the backend apps are using X-Forwarder-For header, in case yes, apps might need reconfiguration to the new value tcl:[IP::client_addr].

 

jmusci_327228
Nimbostratus
Nimbostratus

Can apply it to all VS doesn't need Xff ?

 

Kai_Wilke
MVP
MVP

Hi Peter,

 

A header replace action will replace just the first header instance (if exist) but leave additional instances (if exist too) untouched. The server may on the other hand evalute not the first but the last header and/or combine all header instances at once...

 

To securely sanitize incomming X-Forwarded-For headers, you have to remove (this will remove every single instance) and then insert the given header.

 

Cheers, Kai

 

Version history
Last update:
‎24-Oct-2017 05:00
Updated by:
Contributors