Forum Discussion
CirrusTCP Option 28 X-Forwarded-For Header
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
CirrusFeb 2 19:58:26 bigip01.web.test.com info tmm3[12700]: Rule /Common/Akamai_Opt28 <CLIENT_ACCEPTED>: tcp option 28 length is 0
Cumulonimbushttps://clouddocs.f5.com/api/irules/TCP__option.html
tcp option 28 length is 0, It indicates that Akamai did not send the message with option 28 to F5,so below irules can not exec
if { [string length $opt28] == 5 } {
binary scan $opt28 c ver
if { $ver != 1 } {
log local0. "Unsupported Akamai version: $ver"
} else {
set optaddr [IP::addr parse -ipv4 $opt28 1]
}
}
cause variable optaddr is non-existent, so The action code that causes the insertion of XFF will not be executed
if { [info exists optaddr] } {
HTTP::header insert X-Forwarded-For $optaddr
}
- f5gurunot
Thanks, appreciate your help! That's what I was thinking as soon as I saw that. Will see what Akamai says.
- f5gurunot
Akamai double checked the backend and see it configured to send TCP option 28.
They can also see TCP option 28 in the traffic sent - see attached PCAP screenshot.
1c 06 05 ff fd 67, where 1c is the option 28, 06 is the length, and 05 ff fd 67 (5.255.253.67) is the source IP.
