ok I figured it all out.. Imperva/Incapsula has added another header it passes its original client ip in called [HTTP::header "Incap-Client-IP"]
when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] starts_with "/testingpage") } {
Parse the client IP from the CDN header
set client_ip [HTTP::header "Incap-Client-IP"]
log local0. "XFF: [HTTP::header "Incap-Client-IP"]"
if { $client_ip eq "" }{
The header was empty/did not exist, so use the actual client IP
set client_ip [IP::client_addr]
}
switch [whereis $client_ip abbrev] {
"NJ" -
"ID" {
HTTP::respond 200 content "Your IP IS from NJ or ID"
}
default {
set state [whereis $client_ip abbrev]
log local0. "Lowercase state is $client_ip"
HTTP::respond 200 content "Your IP IS NOT NJ or ID you is $state"
}
}
}
}