cancel
Showing results for 
Search instead for 
Did you mean: 

How does the LTM deal with a XFF header with two values

Wasfi_Bounni
Cirrostratus
Cirrostratus

Hi;

 

How does the LTM deal with an X-Forwarded-For header that has two values. Does it use the last value inserted? If not, how can I make it use the last value inserted?

 

What about two occurances of an X-Forwarded-For header. Does it use the second occurance "the one below the first one"? or does it use the first one?

 

If it uses the first occurance, how can I make it use the second occurance.

 

Kindly

Wasfi

 

 

1 ACCEPTED SOLUTION

boneyard
MVP
MVP

how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

 

are you using a local traffic policy or irule to read / use it?

 

in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

 

if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

 

see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

 

 

View solution in original post

3 REPLIES 3

boneyard
MVP
MVP

how do you exactly mean "deal with"? normally LTM doesn't do anything with a XFF header it receives.

 

are you using a local traffic policy or irule to read / use it?

 

in that case it is up to you to determine how you deal with it, if there are two entries in one header you decide which one to use for your goals.

 

if there are two or more headers you gotta read 'm all and determine which to use and possibly clean it up and only send one further.

 

see this knowledge article for an example how to do that: https://support.f5.com/csp/article/K15732009

 

 

Thank you Boneyard. I cannot find the option to mark your answer as best answer anymore. Basicaly, there is an upstream device adding the XFF but the worry is some internal hacker adding his/her XFF before this upstream device yielding two XFF headers or header values upon reaching the BIG-IP.

 

 

I think you are seeing or trying to eliminate the security issue where multiple addresses could be forged as client ip address in the XFF header. Beginning in v13, there will be 1 XFF header with multiple addresses could be seen on the header, prior to v13, there were multiple XFF headers.

 

To overcome this, you can use below block code,

when HTTP_REQUEST { while {[HTTP::header exists X-Forwarded-For]} { HTTP::header replace "X-Forwarded-For" [IP::client_addr] } }