Forum Discussion
f5gurunot
Cirrus
CirrusTCP Option 28 X-Forwarded-For Header
Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP. I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header. I ...
when CLIENT_DATA {
set opt28 [TCP::option get 28]
if { [string length $opt28] == 4 } {
binary scan $opt28 H8 addr
scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
set optaddr "$ip1.$ip2.$ip3.$ip4"
log local0. "optaddr is $optaddr"
log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
}
}
xuwen
Cumulonimbus
Cumulonimbushttps://clouddocs.f5.com/api/irules/TCP__option.html
tcp option 28 length is 0, It indicates that Akamai did not send the message with option 28 to F5,so below irules can not exec
if { [string length $opt28] == 5 } {
binary scan $opt28 c ver
if { $ver != 1 } {
log local0. "Unsupported Akamai version: $ver"
} else {
set optaddr [IP::addr parse -ipv4 $opt28 1]
}
}
cause variable optaddr is non-existent, so The action code that causes the insertion of XFF will not be executed
if { [info exists optaddr] } {
HTTP::header insert X-Forwarded-For $optaddr
}
f5gurunotCirrus
CirrusThanks, appreciate your help! That's what I was thinking as soon as I saw that. Will see what Akamai says.
