Forum Discussion

Vidas's avatar
Vidas
Icon for Nimbostratus rankNimbostratus
Sep 23, 2022

Evaluate String against data-group of IP data

Hello to all,

I have AKAMAI as a CDN provider in front of my F5 published services. I have configured a data-group of type "Address" and before AKAMAI, I checked if the client IP could be found in this data-group and allowed access towards a specific path:

 

"/uri_path*" {
pool server-pool
if { !([class match [IP::client_addr] equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from [IP::client_addr]"
}
}

 

Now after introducing AKAMAI, since the client IP is replaced by that of the connecting AKAMAI server, I needed to get the actual client IP using a custom header:

 

if { ([HTTP::header exists "True-Client-IP"]) and ([HTTP::header "True-Client-IP"] != "") } {
set True_Client_IP [HTTP::header "True-Client-IP"]
} else {
set True_Client_IP [IP::client_addr]
}

 

If I change the evaluation to use this new variable, it basically never matches since the variable is of type "string" whereas the data group contains IPs:

 

"/uri_path*" {
pool server-pool
if { !([class match $True_Client_IP equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from $True_Client_IP"
}
}

 

So the question becomes: can I evaluate a string over a an IP data-group? Can I somehow change the variable type to be IP?

Thank you all

3 Replies

  • Technically, [IP::client_addr] also returns a string. Are you getting any logic errors in the LTM log?

    Try logging the value of True_Client_IP to see if maybe there's some anomalous characters in the value.

    log local0. "|${True_Client_IP}|"

     

  • Vidas's avatar
    Vidas
    Icon for Nimbostratus rankNimbostratus

    No, I don't get any errors in the logs. I've also inserted the extra logging, and it correctly includes the IP without any special characters.

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee

      What do the address values look like in your data group?

      And what BIG-IP version?

      I've tested this login on a 17.0 box and it appears to work fine.