Forum Discussion
Simon_Blakely
Jul 01, 2020Employee
So
[HTTP::header values X-Forwarded-For]
returns a list of values for X-Forwarded-For.
But X-Forwarded-For may have multiple forwarding IPs, and multiple headers, and look like:
X-Forwarded-For: 10.0.0.1, 192.168.10.10
X-Forwarded-For: 172.16.0.200
So what does the irule see
[HTTP::header values X-Forwarded-For]
{10.0.0.1, 192.168.10.10} 172.16.0.200
This is a TCL list of X-Forwarded-For headers, with the first entry being
{10.0.0.1, 192.168.10.10}
You need to grab the first item in the TCL list using the following sequence
{10.0.0.1, 192.168.10.10} 172.16.0.200
[split $xff "\{\} ,"]
{} 10.0.0.1 {} 192.168.10.10 {} 172.16.0.200
[lsearch -all -inline -not -exact [split $xff "\{\} ,"] {}]
10.0.0.1 192.168.10.10 172.16.0.200
[lindex [lsearch -all -inline -not -exact [split $xff "\{\} ,"] {}] 0]
10.0.0.1
So your irule should be
when HTTP_REQUEST {
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
if { !([class match $CHECK_IP eq DG-ALLOWED-IP]) } {
if { [class match [HTTP::uri] eq DG-ALLOWED-URI-LIST] } {
reject
}
}
}