cancel
Showing results for 
Search instead for 
Did you mean: 

iRule - Source Address and "X-Forwarded For"

muzammil_88686
Nimbostratus
Nimbostratus

Currently we are using the below iRule which is chekcing the "X-Forwarded-For" in HTTP header and 10.0.0.0/16 source address

 

===

 

when HTTP_REQUEST {

 

if {([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me")} {

 

switch -glob [HTTP::header values "X-Forwarded-For"] {

 

"10.0*" {

 

HTTP::redirect "http://www.test.com/WF/H.me"

 

pool Pool2

 

return

 

}

 

}

 

}

 

 

if {[string tolower [HTTP::path]] starts_with "/wf"} {

 

pool Pool2

 

}

 

}

 

===

 

 

Apart from the above exising environmet, now we want to add "X-Forwarded-For" in HTTP header and 10.3.0.0/16 source address and need to redirect the URL from "http://www.test.com/WF" to "http://www.test.com/WF?sr=new"

 

 

Could you pls let me know how can I merge this new requirement with the existing iRule?

 

 

Also could you pls let me know if the new proposed iRule can be feasible to accomodate this kind of requests in future?

 

10 REPLIES 10

What_Lies_Bene1
Cirrostratus
Cirrostratus
You want to add the XFF header to what? How do we determine what traffic? Please clarify.

 

 

By the way, you don't need the pool Pool2 statement in the first if after the redirect.

muzammil_88686
Nimbostratus
Nimbostratus
Thank you Steve for your response!

 

 

There is one more F5 which was taking care of inserting the XFF header for the source addresses: 10.0.0.0/16 and 10.3.0.0/16

 

 

The actual URL/Servers are hosted behind the F5 where the above iRule exists.

 

 

Brian_Deitch_11
Historic F5 Account

Let's see if this will work, I'm have a little trouble understanding the request:

 

 

when HTTP_REQUEST { if {([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me")} { switch -glob [HTTP::header values "X-Forwarded-For"] { "10.0*" { HTTP::redirect "http://www.test.com/WF/H.me" } } } if { ([IP::addr [IP::client_addr]/16 equals 10.3.0.0]) and ([string tolower [HTTP::path]] starts_with "/wf"} { HTTP::header insert X-Forwarded-For [IP::remote_addr] HTTP::redirect "http://www.test.com/WF?sr=new" } if {[string tolower [HTTP::path]] starts_with "/wf"} { pool Pool2 } }

 

muzammil_88686
Nimbostratus
Nimbostratus
Thanks Brian for your response!

 

 

Let me clarify your doubts...

 

 

Current Scenario:

 

-----------------------

 

 

Currently user who want to access the URL: "http://www.test.com/wf/hp.me" will be redirected to "http://www.test.com/WF/H.me" if the below two conditions are met

 

 

1) If the HTTP header consists of "X-Forwarded-For"

 

2) Source address is 10.0.0.0/16

 

 

New Scenario/Requirement:

 

--------------------------------------

 

 

Need to add the below requirement for the above "current scenario"

 

 

If the below two conditions are met then it need to be redirect from "http://www.test.com/wf" "http://www.test.com/WF?sr=new".

 

 

1) If the HTTP header consists of "X-Forwarded-For"

 

2) Source address is 10.3.0.0/16

 

 

 

Pls let me know if your doubts have been addressed.

What_Lies_Bene1
Cirrostratus
Cirrostratus
This should do it. It would be better to use ifs instead of switch but leaving it as is makes it more flexible if you want to expand the address ranges;

 

when HTTP_REQUEST { if { ([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] equals "/wf") } { switch -glob [HTTP::header values "X-Forwarded-For"] { "10.3.*" { HTTP::redirect "http://www.test.com/WF?sr=new" return } } } elseif { ([HTTP::header exists "X-Forwarded-For"]) and ([string tolower [HTTP::uri]] contains "/wf/hp.me") } { switch -glob [HTTP::header values "X-Forwarded-For"] { "10.0*" { HTTP::redirect "http://www.test.com/WF/H.me" return } } } }

muzammil_88686
Nimbostratus
Nimbostratus
Thank you Steve!

 

 

Could you pls let me know what the two "return" statements will do in iRule?

 

What_Lies_Bene1
Cirrostratus
Cirrostratus
You're welcome. Sure, the return statement stops processing the iRule (within that event only) at the point it is used. So, if the conditions for the first if and switch are met, it stops there. The second one under the elseif isn't really required as its the end of the rule anyway but I include it as good practice in case the rule is expanded.

muzammil_88686
Nimbostratus
Nimbostratus
Thank you Steve!

 

 

I will test this iRule and let you know about the status.

What_Lies_Bene1
Cirrostratus
Cirrostratus
You're welcome, please do.

nitass
F5 Employee
F5 Employee
just another example.

 

 

[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { set xff [HTTP::header values "X-Forwarded-For"] switch "[HTTP::host][HTTP::uri]" { "www.test.com/wf" { if { [IP::addr $xff equals 10.3.0.0/16] } { HTTP::redirect "http://www.test.com/WF?sr=new" } } "www.test.com/wf/hp.me" { if { [IP::addr $xff equals 10.0.0.0/16] } { HTTP::redirect "http://www.test.com/WF/H.me" } } } } } [root@ve10:Active] config curl -I http://www.test.com/wf/hp.me -H "X-Forwarded-For: 10.0.0.1" HTTP/1.0 302 Found Location: http://www.test.com/WF/H.me Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve10:Active] config curl -I http://www.test.com/wf -H "X-Forwarded-For: 10.3.0.1" HTTP/1.0 302 Found Location: http://www.test.com/WF?sr=new Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve10:Active] config curl -I http://www.test.com/ HTTP/1.1 200 OK Date: Thu, 29 Nov 2012 12:41:32 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT ETag: "4183f3-59-f28f94c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8