HTTP x-forward-for
Hi all, I have configured the x-forward-for virtual server as below. <vitual server> type : standard protocol : tcp Source Address Translation : Automap HTTP Profile : Added profile with 'Insert X-Forwarded-For' enabled The symptoms are as follows. 1) Configure the service port of the virtual server to 80 or 8080. - BIG-IP recognizes the port as http and adds the Client IP to the header. 2) Configure the service port of the virtual server to 11211. - BIG-IP recognizes the port as TCP and does not operate X-forward-for. I have a few questions. Q1) For X-forward-for to operate, does the HTTP well-known(80,8080) port that BIG-IP knows must be configured as a service port? Q2) Is there a way to make X-forward-for work by configuring unknown-port on the service port? Q3) Are there any other service ports that F5 recognizes with HTTP other than 80,8080? Thanks,25Views0likes3CommentsF5 LTM Explicit Forward Proxy with SSL Decryption(and XFF insertion)
Hi experts, I am working on a project where I have to configure the LTM as an Explicit Forward Proxy. I managed to get this working for both HTTP and HTTPS traffic using the this article here: Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM | DevCentral Note that, to align with the existing routing topology, the above setup required SNAT so the return traffic can get back to the LTM (currently routing topology can't be changed) However, a new requirement has come up to to include the X-Forwarded-for header in the outgoing packets from the LTMs (to Internet) so the Firewalls (that happens to be in the path to the internet) can enforce necessary policies based on Source IP derived from the XFF IP. Essentially, now I have the requirement of decrypting the traffic on the LTMs (while it's still functioning as an explicit forward proxy), insert XFF and re-encrypt traffic before sending out to the firewall. The firewall, in this case, will also decrypt the traffic and extract the XFF information and use that to enforce security policies on the traffic before sending out to Internet. Obviously, decrypting the same traffic twice is an overkill, but I guess at this point in time, I just wanted to make sure that this option is available and I test this out in my POC. The issues I am having right now is that, for the life of me, I can't find any document that tells me how perform this on an explicit forwarding proxy setup. I can find a lot of information around SSL decryption and XFF insertion on a reverse proxy setup but I am a bit confused how I derive the necessary bits from that and apply to the explicit-forward proxy. I tried different things in my lab but failed to get the expected outcome. Can someone please show me a document or let me know how to do this? Your input is much appreciated. ThanksSolved72Views0likes2CommentsiRule - XFF different case based on direction
I have an issue with Bitbucket versions where XFF is sent differently depending on the direction of traffic between versions. I am sure other apps have this issue as well. Bitbucket versions ( v7.2.5 --> v8.19.3 ) Can the XFF type case-sensitivity be controlled based on direction. (Right side is a mixed up standard and all upper-case versus the left side is all lower-case.41Views0likes2Commentsxff and geolocation
If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations? If not with ltm policy, can this be done with an irule? thanks, Vered73Views0likes4CommentsiRule - Fallback Persistence
Hi - I'm trying to create an iRule for the Persistence Profile of one of my applications. The preferred method is to use cookie - the application actually injects a cookie in the HTTP RESPONSE and the F5 looks for this cookie in both the HTTP RESPONSE and HTTP REQUEST to do persistence, identical to how JSESSIONID works. However in the event that the client has configured their browser to reject / disable cookies, the expectation is that we persist based on their source IP, however as they come in to our data centre via Akamai, we actually need to extract their IP from the X-Forwarded-For header. What I came up for this was: when HTTP_REQUEST { if { [HTTP::cookie exists "App_SessionId"] } { persist uie [HTTP::cookie "App_SessionId"] 1800 } else if {[HTTP::header X-Forwarded-For] != ""} { persist uie [lindex [ split [lindex [HTTP::header values X-Forwarded-For] 0] "," ] 0] 1800 } else { persist uie [IP::client_addr] 1800 } } when HTTP_RESPONSE { if { [HTTP::cookie exists "App_SessionId"] } { persist add uie [HTTP::cookie "App_SessionId"] 1800 } } I haven't had the chance to test this but reviewing the logic I see that we may have a problem with the first request cominf from the user's browser. When a user first lands on the website, the HTTP_REQUEST from their browser will not have the App_SessionId cookie and this causes the LTM to add a persistence record based on the X-Forwarded-For header, or add a persistence record based on the user's source IP address. When the request makes it to the server and the server responds ( HTTP_RESPONSE ), that response will have a App_SessionId cookie, and the LTM adds another persistence record based on this cookie. Then the subsequent HTTP_REQUEST from the users browser will have the App_SessionId cookie, and this will now match the if { [HTTP::cookie exists "App_SessionId"] } section of the iRule and they will be persisted to the same server that inserted the cookie. This is good but there's the loose end which is the initial persistence record based on the X-Forwarded-For header that's lingering. Would this lingering persistence record based on the X-Forwarded-For header cause a conflict with the persistence record based on the App_SessionId cookie? How do I clean up this loose end? On the flip side, if the user had configured their browser to reject cookies, the persistence record based on the X-Forwarded-For header is vital to maintain session consistency. But now we have the loose end of the persist add uie [HTTP::cookie "App_SessionId"] 3600 in the HTTP_RESPONSE .381Views0likes0CommentsBIG-IP : http profile : insert x-forwarded-for : enabled
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi HTTP Profile Insert X-Forwarded-For : Enabled Suppose the client has already added the "X-Forwarded-For" header value to the request. How will BIG-IP behave ? Will it leave the existing header value intact ? Or will it overwrite the value with what it believes to be the request client ip ? Further, at what point in request-processing does the insert/replace header operation occur ? Does it occur before iRule processing so that the header value is available within the iRule event processing when HTTP_REQUEST {} ?739Views0likes7CommentsBIG-IP : HTTP Profile Insert X-Forwarded-For Enabled but not found in request headers collection
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi For a Virtual-Server assigned an HTTP Profile configured with : Insert X-Forwarded-For Enabled under what circumstances would the header not be inserted ? My iRule logs : when HTTP_REQUEST { log local0. "X-Forwarded-For header = [HTTP::header X-Forwarded-For]" ` indicate header is not present -- here is log output : `X-Forwarded-For header = Could disabling HTTP_REQUEST event at end of iRule affect HTTP Profile ability to add the header ?271Views0likes2CommentsX-Forwarded-For header
Hi All, My application team requirement is to able to see the actual client ip address whoever accessing the application instead of BIG IP address as SNAT (Auto map) is enabled. I have read some SOL on it and understand that we can achieve this by iRule & HTTP profile. However, my requirement is to have an iRule as we can take decision whether to add X-Forwarded-For header to client requests. Can anyone please share the iRule script pertaining to this requirement. Thanks in advance, MSK383Views0likes11CommentsiRule - http redirect and x-forward
Hi folks, I need help to check if my iRule on LTM A (external) is redirecting the traffic to LTM B VIP correctly and iRule on LTM B will help keep the users host and uri and display the page on the servers. LTM A (External): ------------------------------- VS: vs_abc_com_test Destination IP: Public IP:80 Pool: pool_efg Member: 10.10.30.30 iRule on VS: "abc.com" { if { [HTTP::uri] starts_with "/test"} { pool pool_abc_test snat automap } else { HTTP::redirect "https://abc.com[HTTP::uri]" } } Pool in iRule: pool_abc_test Member: 10.10.10.1 ----------------- which is the VIP on LTM B LTM B (Internal): ----------------------------- VS: vs_pool_abc2_test2 Dest IP: 10.10.10.1 Pool: pool_abc2_test2 Members: 20.20.20.1:80 20.20.20.2:80 iRule on VS: when HTTP_REQUEST { if { ([HTTP::uri] contains "/xyz/login.aspx") || ([HTTP::uri] contains "/uvw/login.aspx")}{ if {not [HTTP::header exists "X-Forwarded-For"]} { HTTP::header insert X-Forwarded-For [IP::client_addr] } } }442Views0likes5CommentsiRule that triggers a capture of the HTTP request before rejecting
I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410? Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients when HTTP_REQUEST { if {[HTTP::header "X-Forwarded-For"] ne ""}{ log local0. "XFF: [HTTP::header "X-Forwarded-For"]" foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] { log local0. "Current XFF element: $xff" if {[IP::addr $xff equals 1.2.3.4]}{ log local0. "Sending 410 for $xff" HTTP::respond 410 break } } } }249Views0likes2Comments