Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

How does the LTM deal with a XFF header with two values

Go to solution
Wasfi_Bounni
Cirrocumulus
Cirrocumulus

‎29-Apr-2021 01:31

Hi;

 

How does the LTM deal with an X-Forwarded-For header that has two values. Does it use the last value inserted? If not, how can I make it use the last value inserted?

 

What about two occurances of an X-Forwarded-For header. Does it use the second occurance "the one below the first one"? or does it use the first one?

 

If it uses the first occurance, how can I make it use the second occurance.

 

Kindly

Wasfi

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
boneyard
MVP
MVP

‎29-Apr-2021 11:09

how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

 

are you using a local traffic policy or irule to read / use it?

 

in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

 

if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

 

see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

 

 

View solution in original post

3 REPLIES 3

Go to solution
boneyard
MVP
MVP

‎29-Apr-2021 11:09

how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

 

are you using a local traffic policy or irule to read / use it?

 

in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

 

if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

 

see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

 

 

Go to solution
Wasfi_Bounni
Cirrocumulus
Cirrocumulus
In response to boneyard

‎30-Apr-2021 16:20

Thank you Boneyard. I cannot find the option to mark your answer as best answer anymore. Basicaly, there is an upstream device adding the XFF but the worry is some internal hacker adding his/her XFF before this upstream device yielding two XFF headers or header values upon reaching the BIG-IP.

0 Kudos

Go to solution
jaikumar_f5
MVP
MVP

‎30-Apr-2021 07:52 - last edited on ‎09-Mar-2023 14:54 by Fog

 

 

I think you are seeing or trying to eliminate the security issue where multiple addresses could be forged as client ip address in the XFF header. Beginning in v13, there will be 1 XFF header with multiple addresses could be seen on the header, prior to v13, there were multiple XFF headers.

 

To overcome this, you can use below block code,

when HTTP_REQUEST { 
while {[HTTP::header exists X-Forwarded-For]} { 
HTTP::header replace "X-Forwarded-For" [IP::client_addr] 
}
}

 

Copyright © 2023 Khoros, LLC