Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Feb 09, 2016

Traffic policy not evaluating TCL commands

I've setup a traffic policy to check if a header exists and if it doesn't then to add it. That bit of the logic works however it doesn't add what I need it to - it basically doesn't evaluate the tcl command I put in.

I've tried it using with and without quotes and basically the output I get into the XFF header is the string so either "tcl:[IP::client_addr]" or just tcl:[IP::client_addr]

        actions {
            0 {
                http-header
                replace
                name X-Forwarded-for
                value \"tcl:[IP::client_addr]\"
            }

or actions { 0 { http-header replace name X-Forwarded-for value tcl:[IP::client_addr] }

There are good reasons why I am not using the standard Insert XFF in the HTTP profile and whilst it could easily be done by an iRule I really need this to work, as it should do, in a traffic policy.

I am running 11.5.1 HF7

  • Prior to BigIP 12.0.0, TCL command substitution was currently only implemented in two policy actions:

    http-uri rewrite value
    http-reply redirect location
    

    Additional actions were added in BigIP 12.0.0, and documented here

  • Hi Parknook,

    I share your opinion, to not use the HTTP profile "Insert X-Forwarded-For" option, when security is somehow a concern.

    But keep in mind that a

    replace
    header action is also not the right choice to sanitize every existing instance of
    X-Forwarded-For
    from the received HTTP request. The
    replace
    action would only modify the last occurrence of
    X-Forwarded-For
    but your application may use the first one. So a combination of
    remove
    and
    insert
    is the most secure syntax you can pull of...

    To be able to set those headers with LTM Policies prior to v12, you may pass a

    [HTTP::header remove "X-Forwarded-For"]
    and
    [HTTP::header insert "X-Forwarded-For" [IP::client_addr]]
    syntax using the TCL policy action. Well, the TCL action is originally not intended to manipulate request information, but works like a charm and also supports a rich TCL substitution...

    ltm policy Insert_X-Forwarded-For {
        requires { http }
        rules {
            Rule1 {
                actions {
                    0 {
                        tcl
                        set-variable
                        expression "[HTTP::header remove \"X-Forwarded-For\"]"
                        name x_forward_for
                    }
                    1 {
                        tcl
                        set-variable
                        expression "[HTTP::header insert \"X-Forwarded-For\" [IP::client_addr]]"
                        name x_forward_for
                    }
                }
                ordinal 1
            }
        }
        strategy first-match
    }
    

    Note: Personally I wouldn't recommend to use a LTM Policy to issue native TCL commands. But if you require a pure LTM Policy based configuration, then this approach would be one of the last options before migrating to v12...

    Cheers, Kai