Forum Discussion

muzammil_88686's avatar
muzammil_88686
Icon for Nimbostratus rankNimbostratus
Nov 28, 2012

iRule - Source Address and "X-Forwarded For"

Currently we are using the below iRule which is chekcing the "X-Forwarded-For" in HTTP header and 10.0.0.0/16 source address

 

===

 

when HTTP_REQUEST {

 

if {([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me")} {

 

switch -glob [HTTP::header values "X-Forwarded-For"] {

 

"10.0*" {

 

HTTP::redirect "http://www.test.com/WF/H.me"

 

pool Pool2

 

return

 

}

 

}

 

}

 

 

if {[string tolower [HTTP::path]] starts_with "/wf"} {

 

pool Pool2

 

}

 

}

 

===

 

 

Apart from the above exising environmet, now we want to add "X-Forwarded-For" in HTTP header and 10.3.0.0/16 source address and need to redirect the URL from "http://www.test.com/WF" to "http://www.test.com/WF?sr=new"

 

 

Could you pls let me know how can I merge this new requirement with the existing iRule?

 

 

Also could you pls let me know if the new proposed iRule can be feasible to accomodate this kind of requests in future?

 

10 Replies

  • You want to add the XFF header to what? How do we determine what traffic? Please clarify.

     

     

    By the way, you don't need the pool Pool2 statement in the first if after the redirect.
  • Thank you Steve for your response!

     

     

    There is one more F5 which was taking care of inserting the XFF header for the source addresses: 10.0.0.0/16 and 10.3.0.0/16

     

     

    The actual URL/Servers are hosted behind the F5 where the above iRule exists.

     

     

  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account

    Let's see if this will work, I'm have a little trouble understanding the request:

    
    when HTTP_REQUEST {
        if {([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me")} {
            switch -glob [HTTP::header values "X-Forwarded-For"] {
            "10.0*" {
                HTTP::redirect "http://www.test.com/WF/H.me"
            }   
        }   
      }
    
        if { ([IP::addr [IP::client_addr]/16 equals 10.3.0.0]) and ([string tolower [HTTP::path]] starts_with "/wf"} {
            HTTP::header insert X-Forwarded-For [IP::remote_addr]
            HTTP::redirect "http://www.test.com/WF?sr=new"
       }   
         if {[string tolower [HTTP::path]] starts_with "/wf"} {
            pool Pool2
      }
    }
    

  • Thanks Brian for your response!

     

     

    Let me clarify your doubts...

     

     

    Current Scenario:

     

    -----------------------

     

     

    Currently user who want to access the URL: "http://www.test.com/wf/hp.me" will be redirected to "http://www.test.com/WF/H.me" if the below two conditions are met

     

     

    1) If the HTTP header consists of "X-Forwarded-For"

     

    2) Source address is 10.0.0.0/16

     

     

    New Scenario/Requirement:

     

    --------------------------------------

     

     

    Need to add the below requirement for the above "current scenario"

     

     

    If the below two conditions are met then it need to be redirect from "http://www.test.com/wf" "http://www.test.com/WF?sr=new".

     

     

    1) If the HTTP header consists of "X-Forwarded-For"

     

    2) Source address is 10.3.0.0/16

     

     

     

    Pls let me know if your doubts have been addressed.
  • This should do it. It would be better to use ifs instead of switch but leaving it as is makes it more flexible if you want to expand the address ranges;

    when HTTP_REQUEST {
     if { ([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] equals "/wf") } {
      switch -glob [HTTP::header values "X-Forwarded-For"] {
       "10.3.*" {
        HTTP::redirect "http://www.test.com/WF?sr=new"
        return
       }
      }
     }
     elseif { ([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me") } {
      switch -glob [HTTP::header values "X-Forwarded-For"] {
       "10.0*" {
        HTTP::redirect "http://www.test.com/WF/H.me"
        return
       }
      }
     }
    }
    
  • Thank you Steve!

     

     

    Could you pls let me know what the two "return" statements will do in iRule?

     

  • You're welcome. Sure, the return statement stops processing the iRule (within that event only) at the point it is used. So, if the conditions for the first if and switch are met, it stops there. The second one under the elseif isn't really required as its the end of the rule anyway but I include it as good practice in case the rule is expanded.
  • just another example.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
       set xff [HTTP::header values "X-Forwarded-For"]
       switch "[HTTP::host][HTTP::uri]" {
          "www.test.com/wf" {
             if { [IP::addr $xff equals 10.3.0.0/16] } {
                HTTP::redirect "http://www.test.com/WF?sr=new"
             }
          }
          "www.test.com/wf/hp.me" {
             if { [IP::addr $xff equals 10.0.0.0/16] } {
                HTTP::redirect "http://www.test.com/WF/H.me"
             }
          }
       }
    }
    }
    
    [root@ve10:Active] config  curl -I http://www.test.com/wf/hp.me -H "X-Forwarded-For: 10.0.0.1"
    HTTP/1.0 302 Found
    Location: http://www.test.com/WF/H.me
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
    [root@ve10:Active] config  curl -I http://www.test.com/wf -H "X-Forwarded-For: 10.3.0.1"
    HTTP/1.0 302 Found
    Location: http://www.test.com/WF?sr=new
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
    [root@ve10:Active] config  curl -I http://www.test.com/
    HTTP/1.1 200 OK
    Date: Thu, 29 Nov 2012 12:41:32 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
    ETag: "4183f3-59-f28f94c0"
    Accept-Ranges: bytes
    Content-Length: 89
    Content-Type: text/html; charset=UTF-8