We've been asked to set something up so following a website release testers can connect to a webserver based on a URI to ensure the release is fine before enabling within the Pool. We've created a policy which checks for an appended URI at request time and if found sends the request from the tester to the appropriate webserver. What we need to do is restrict this for production so only the testers can do this, not general public. As the F5 does SNAT before hitting the web servers we thought we could also add a HTTP header to check for XFF header for the testers ip address. Unfortunately this doesn't seem to work. Does this seem a reasonable way to solve this problem and if so any ideas why it might not be working.
XFF header has to be added by something, in your case the BIG-IP i assume but when the request comes in the header isn't inserted yet.
you do have access to the actual public IP when the request enters here without any device in front of it changing it.
so give it a try on actually public IP, that should be possible via TCP followed by address.