Forum Discussion

Jose_Cruz's avatar
Jose_Cruz
Icon for Altostratus rankAltostratus
Aug 06, 2019

Help with X-Forwarded-For iRule

We have many (over 500) Public VIP that we need to insert the client IP in the header for security reasons. When i enabled X-Forwarded-For in the HTTP profile the developer informed me they are recei...
  • JG's avatar
    Aug 06, 2019

    I would not enable the acceptance of XFF, for it can be faked. You should only trust the IP address that initiated the connection as the client address. As such, you can try the irule below.

    when HTTP_REQUEST_RELEASE {
        log local0. "Orig XFF: [HTTP::header values "X-Forwarded-For"]"
        HTTP::header remove "X-Forwarded-For"
        HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] % 1],[getfield [IP::local_addr] % 1]
        log local0. "New XFF: [HTTP::header value "X-Forwarded-For"]"
    }

    .