Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Problem persistent iRule

Jo_
Nimbostratus
Nimbostratus

‎23-Aug-2022 05:42 - last edited on ‎26-Aug-2022 13:19 by Community Manager

Within the login process, requests are send from a client towards our IDP. That same client also sends requests within the sale login process to a web server that in turn sends requests to our IDP.

The intention is that the requests that come directly from the client and those that go through the web server end up on the same IDP server.

The first IP within the X-Forwarded-For header always contains the client ip. Therefore the following IRule was configured:

if { $static::uri contains "/part_of_url" }{
  if { [HTTP::header exists "X-Forwarded-For"] }{
    persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0]
  }
}

Wat is the result?

Requests from the client directly to the IDP end up on the same IDP server and requests from the same client that go through the web server end up on another IDP. The first attribute of the X-Forwarded_For header is the same clientip for all requests. How can all requests from the same clientIP ends up on the same IDP server?

Labels:
0 Kudos
2 REPLIES 2

Leslie_Hubertus
Community Manager
Community Manager

‎24-Aug-2022 15:04

Hey @Jo_  - thanks for posting and giving some detail. If you don't get an answer soon from the community, I'll ask one of my colleagues to chime in. 

0 Kudos

JRahm
Community Manager
Community Manager

‎26-Aug-2022 13:30 - edited ‎26-Aug-2022 13:34

Just posing some questions to think about, I am not well-versed in the specifics of setting up this configuration on APM.

  1. You are taking the first header in the list of potential X-Forwarded-For headers present, and then taking the first IP address from that header, correct? Is that always desired state?
  2. What event is that logic applied in?
  3. Also you have one-connect enabled? If not, you're evaluating on a per-connection basis, not a per-request basis.
  4. Finally, have you taken packet captures to evaluate your headers ahead of and after BIG-IP?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos
Copyright © 2023 Khoros, LLC