25-Feb-201802:07 - last edited on 02-Jun-202309:55 by JimmyPackets
folks ,
need some help with asm geo location irule
I want to allow Ip address which contain country SG in forwarder Header , since i have only restricted my ASM geo location policy to allow only SG country to access this application but due to google play integration i am seeing US ip address as source but the original Ip showing in x forwarder.
when ASM_REQUEST_DONE {
log local0. "Detected Country IP"
if { ([whereris IP::client_addr] == "SG") && ( [ASM::violation details] contains "VIOLATION_ILLEGAL_GEOLOCATION") }{
ASM::unblock
log local0. "[ASM::violation_data]. unblocked for [IP::client_addr]"
}
}
25-Feb-201820:14 - last edited on 02-Jun-202309:55 by JimmyPackets
when ASM_REQUEST_DONE {
set xff_is_sg ""
if { [whereis [IP::client_addr] country] ne "SG" } {
if { [HTTP::header exists "X-Forwarded-For"] } {
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
Check if the current XFF IP is in SG:
if { [whereis $xff country] eq "SG" } {
log local0. "$xff is from SG."
set xff_is_sg 1
break
}
}
if { $xff_is_sg ne "" } {
ASM::unblock
return
}
}
}
}
However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.
