Checking for X-Forwarded-For against an Address Data-Group
Hello, I've been back and forth over this simple block of code, extracted from our f5 rule. I'm trying to adjust to Cloudflare X-Forwarded-For header for handling source IP address comparison to an internal list of credible internal IP ranges. While I understand that the "X-Forwarded-For" header is not 100% reliable, having this value set will aid debugging in other respects. When I call this f5 irule with no headers, it is fine, it appears to use the client_addr normally against our whitelist address Data Groups (very simple list of allowed ranges). But when I call it with a header of X-Forwarded-For via Postman it does not respond at all to the client (fails hard). I thought all Tcl variables are Tcl String, but is there something I need to convert extra for headers? -value on the header did not help either. when HTTP_REQUEST { if {[HTTP::header exists "X-Forwarded-For"]}{ set ip [HTTP::header "X-Forwarded-For"] } else { set ip [IP::client_addr] } set externalHost 1 if {[class match $ip equals Internal_Hosts]}{ set externalHost 0 } if {($externalHost == 0)}{ HTTP::respond 200 content { externalHost=0 } } elseif {($externalHost == 1)}{ HTTP::respond 200 content { externalHost=1 } } else { HTTP::respond 200 content { externalHost=unknown } }
f5 irules add headers
Hello, I'm trying to replace Nginx with f5, and I have a few headers I need to set in f5, but I'm not sure how... in nginx the config file looks like this: proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; Is there any way of replicating this in f5? I was hoping to do this through irule, as I alredy have an irule assigned to one VS that changes url and uri and passes it to corect node: when HTTP_REQUEST { if { not (([HTTP::path] starts_with "/api/") or ([HTTP::path] starts_with "/auth") )} { return } set apiType [lindex [split [HTTP::path] "/"] 2] if {([HTTP::path] starts_with "/auth") }{ set newSubdomain access.uat. HTTP::header replace "Host" [string map [list "api-uat." $newSubdomain ] [HTTP::host]] HTTP::path [string map [list "/api/$apiType" "/access"] [HTTP::path]] log local0. "New Path [HTTP::host][HTTP::path]" virtual keycloak_vs node 172.17.1.104 8080 } else { log local0. "api type $apiType" append newSubdomain $apiType .uat. log local0. "New Subdomain $newSubdomain" HTTP::header replace "Host" [string map [list "api-uat." $newSubdomain ] [HTTP::host]] HTTP::path [string map [list "/api/$apiType" "/api"] [HTTP::path]] log local0. "New Path [HTTP::host][HTTP::path]" } unset newSubdomain unset apiType } not sure what else to include to make it clear.... The basic process is: user goes to api-uat.example.com/api/access f5 changes this to access.uat.example.com/auth (user don't see this) This takes user to the page with links, one of the links is "log in", and when user chooses it should go to api-uat.example.com/api/access/.... however for some reason URL in the browser is changed to access.uat.example.com/auth/... which is not accessible externally... I'm guessing that the problem is with missing proxy headers like I have them in nginx (which doesn't get the same problem) Hope this is clear enough 🙂
F5 LTM appears to be overwriting the cache-control response headers
BIG-IP LTM v15.1.4 When accessing our website through the F5 (VIP), the cache-control response headers are not honoring the values returned by the member servers in the Pool. When accessing the webservers directly (not through the F5) the cache-control header values are correct. INCORRECT HEADERS = cache-control: private CORRECT HEADERS = cache-control: no-cache, no-store We do not have any iRules modifying this header, we are not using Web Application Proxy (WAP), Web Acceleration, etc.
Forwarding to Different Port Replaces the Host Header
We use F5 in front of an AWS ALB for firewall purposes. In our virtual server, we forward our https requests to port 85. When the request arrives at our web tier, the request has the host header of our external url with ":85" appended to it. We want the behaviour to be when the request is forwarded, even to a different port, the host header remains the same in order for OpenID to work correctly. Please let me know if there is a workaround for this, and thanks in advance.X-Frame-Options: SAMEORIGIN header Question
Alright DC Community! This came in thru twitter and thought I'd ask on behalf of Stefán Jökull Sigurðarson (@stebets)/DC Member, Stebet: Does anyone know how an X-Frame-Options: SAMEORIGIN header could start appearing after adding a separate Content-Security-Policy header in an app? I'm suspecting something within our @F5Networks LB? Anyone seen this? It only got added after I put in my CSP header on the app-side of things though. So I'm curious if it's some sort of automatic thing to do if a CSP header is detected? It was removed easily enough with an iRule though. @jasonrahm replied: If using CSP frame-ancestors self should invalidate need for x-frame-options, but if you are not explicitly setting it must be gathered in a policy check somewhere before the app response is released. Previous Q/As also discuss clickjacking and methods to mitigate. Any other suggestions? Let's give him some advice! And, as always, appreciate the help! ps
How can I preserve the original HTTP Host Header to the Backendservers?
Hi guys, I'm trying the following configuration to loadbalance a RH SSO Key cloack Cluster: clientIP -> https/443 -> (clientssl-Profile) F5-Virtual Server (serverssl-Profile) -> SNAT-IP -> tcp8443 -> Backendserver The Backendserver need to see the original client http Header, so I created a http Profile with the "Insert X-Forwarded-For"-Option enabled. Alternative I tried the following iRule: when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::client_addr] } Unfortunaly, both ways didn't work properly... How can I preserve the whole original HTTP Host Header trough the F5 to the Backendservers? Thank you!Missing SOAPAction
Hey, I have a problem I think is easy to solve but this is my 1st time researching F5 rules. I'm a developer by trade but trying to figure out an urgent issue. I have a problem with an obscure client of our SOAP services. Our WSDLs speficy am empty SoapAction but this client assume that without a SOAPAction, it won't even send the header. Our server get a mixture of REST and SOAP requests so I am looking for a rule that will check only SOAP requests for a SOAPAction header and if it doesn't exist, add it. Or, is this just as easy as doing something like this? HTTP::header replace SOAPAction "" This is a little scorched earth but we don't have any SOAPAction anywhere. I don't think this would negatively affect other types of requests even it were be added to everything?iRule header removal for cached item reponses
Does anyone know if iRules do not apply to cached responses? I like to strip out X-Powered-By headers from my responses, but I'm seeing that header on the client side of things; I haven't made any changes to my iRule (though it's a large one shared between multiple VSs) which leads me to believe that the HTTP_Request and HTTP_Response rules aren't being applied to cached responses.Retain source IP in UDP packet
Hi - I'm passing SNMP traps through an F5 VIP to our event collector. However being UDP the header info isnt retained and the node IP is showing as the SNAT address. Is there any way to retain the orgional IP? I'm thinking something like x-forwarded-for for TCP. Thanks!
