Forum Discussion

Jim_Stumbo's avatar
Jim_Stumbo
Icon for Altostratus rankAltostratus
Jul 01, 2021
Solved

Use x-forwarded-for to bypass authentication?

I am pretty new to all the irule stuff and the more advanced access policy stuff, so please be gentle on me.

 

What we are trying to do is when a connection is made to our F5, check the x-forwarded-for field and if it is a certain IP address range, then bypass the authentication in the access policy. We have users and systems that are making this connection and we want to users to have to do the two factor authentication we have in place, but the systems that make this connection cannot do the two factor authentication. So we want them to be able to skip over that. We are taking precautions on our WAF to prevent the spoofing of the x-forwarded-for header, so we should be OK there.

 

Any suggestions on how to do this? I am assuming, from what I have read... that I can create an irule that checks the x-forwarded-for and sets a variable depending on if it is in the range that we know is from the systems directly, and then somehow in the access policy, check for that variable, and if it is a certain value, go to success directly bypassing the SAML auth, but if it is not that value, then they go to the authentication to do their two factor auth.

 

Thanks for any help.

 

Jim

  • Hi Jim,

    you could add this iRule

    when HTTP_REQUEST {
        if {[HTTP::header exists X-Forwarded-For]}{
            ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For]
        }
    }

    It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.

    And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.

    I didn't test the iRule, let me know whether it works or not.

    KR

    Daniel

    EDIT: Typo in iRule

9 Replies

  • Hi Jim,

    you could add this iRule

    when HTTP_REQUEST {
        if {[HTTP::header exists X-Forwarded-For]}{
            ACCESS::session data set session.user.clientip [HTTP::header X-Forwarded-For]
        }
    }

    It will replace the Session Variable session.user.clientip with the value of the X-Forwarded-For header.

    And then you could use the APM action Endpoint Security (Server-Side) >> IP Subnet Match in the APM Access Policy to check whether the IP is matching the allowed Subnets.

    I didn't test the iRule, let me know whether it works or not.

    KR

    Daniel

    EDIT: Typo in iRule

    • Jim_Stumbo's avatar
      Jim_Stumbo
      Icon for Altostratus rankAltostratus

      It does not look like the iRule works. When I apply it, the website does not come up at all. I have not done the access policy part yet, but just doing the iRule makes it not respond. I am guessing that maybe by changing the clientIP, it is trying to respond to the client directly, instead of going back through the WAF?

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        See this diagram: https://devcentral.f5.com/s/articles/iRule-Event-Order-Flowchart

         

        You could try and replace the HTTP_REQUEST with ACCESS_SESSION_STARTED.

        Sorry.... I really should have tested the iRule.