Actual Client IP and Proxy IP in X-Forwarded-For

Question

We have a setup where clients are behind proxy and proxy is the src-ip for LTM, we have enabled X-Forwarded-For and we are getting Proxy-IP in the header, but now the requirement is to have actual client IP as well in the header(Client-IP,Proxy1-IP).&nbsp;
I have enabled the X-forwarded-for on the proxy, but still it seems that the LB is replacing the header with the latest one(proxy-ip)&nbsp;
Please suggest how to get both IP's in the header.&nbsp;

kai_wilke · Answer

Hi Ganesh,
to consolidate multiple occourences of X-Forwarded-For headers, you may try the iRule below...
when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:
Incomming HTTP request headers
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

Outgoing HTTP request headers
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

Note: Make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile. The insert will be already handled by this iRule...
Cheers, Kai

jg · Answer

Would the following fix this for you?&nbsp;
In Configuration Utility go:&nbsp;

Local Traffic  ››  Profiles : Services : HTTP  ››  your_http_profile&nbsp;

and tick the box for "Accept XFF"&nbsp;

Fill the field of "XFF Alternative Names"&nbsp;

kai_wilke · Answer

Hi Ganesh,
I've just checked the provided iRule and it works for me. Please use the iRule below to troubleshoot the issue and post back the resulting logs...
when HTTP_REQUEST {

log local0.debug "Orig XFF: [HTTP::header values "X-Forwarded-For"]"

if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }

log local0.debug "New XFF: [HTTP::header values "X-Forwarded-For"]"

}

Note: Also make sure, the Insert X-Forwarded-For option of your attached HTTP profile is set to disable.
Cheers, Kai

Forum Discussion

Actual Client IP and Proxy IP in X-Forwarded-For

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Performance L4 VS - HTTPS [X-forwarded-for]

X-Forwarded-For Log Filter for Windows Servers

X Forwarded For Single Header Insert