AltocumulusIf I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations?
If not with ltm policy, can this be done with an irule?
thanks,
Vered
Nimbostratus
User
If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations?
If not with ltm policy, can this be done with an irule?
Using the X-Forwarded-For (XFF) header to determine the source IP address can be helpful, but the LTM policy itself won't have built-in functionality to directly recognize the geolocation of the IP addresses extracted from the XFF header. However, you can achieve this functionality with iRules.
Here's a general approach using an iRule:
Extract the client IP address from the XFF header.
Use a geolocation lookup service or database (e.g., MaxMind GeoIP) to determine the country associated with the extracted IP address.
Implement logic in the iRule to exclude requests coming from the specified country from the DoS L7 policy.
An iRule allows for more flexible and custom scripting, enabling you to manipulate traffic based on various conditions, including the XFF header and geolocation data. Below is a simplified example of how you might implement this:
tcl
Copy code
when HTTP_REQUEST {
set xff_header [HTTP::header "X-Forwarded-For"]
if { $xff_header ne "" } {
# Extract the client IP address from the XFF header
set client_ip [lindex [split $xff_header ","] 0]
# Perform geolocation lookup for the client IP address
set country [geo::ipcountry $client_ip]
# Check if the request is coming from the excluded country
if { $country eq "Excluded_Country_Code" } {
# Exclude requests from the excluded country
reject
return
}
}
# If not from the excluded country, continue processing the request
# Add other logic or actions here
}
Replace "Excluded_Country_Code" with the appropriate country code for the country you want to exclude from the DoS L7 policy.
Keep in mind that implementing such logic can add complexity to your configuration, and you should thoroughly test and validate the iRule to ensure it behaves as expected and does not inadvertently block legitimate traffic. Additionally, consider the performance impact of using iRules,
especially if they are processing a large volume of traffic.
AltocumulusThank you very much. I will test this irule. I can already say that the LTM policy does not recognize geolocation from xff IPs, so this may be our only option.
Thanks
AltocumulusI made some changes as I didn't find any command the was geo::ipcountry.
when HTTP_REQUEST {
set xff_header [HTTP::header "X-Forwarded-For"]
if { $xff_header ne "" } {
# Extract the client IP address from the XFF header
set client_ip [lindex [split $xff_header ","] 0]
# Check if the request is *not* coming from the excluded country
if {!([whereis $client_ip country] equals "country_code") } {
# enable dos profile
DOSL7::enable dos
#return
} else {
DOSL7::disable
}
}
}I need to test it....
Will update.
MVPveredgfbll Sadly I am not familiar enough with ltm policies to say if you can or cannot do this. You should be able to do this with an iRule but it will become a bit tricky if your XFF has multiple IP entries that could range from single to any number of IPs in that header field.