We insert an X-Forwarded-For header to pass back to our web servers. One application we have looks to this header to allow or deny certain servers access to us. However, we want to prevent spoofing the header for obvious reasons. The hope is that the LTM can peel off any outside X-Fordwarded-For headers and replace them with its own X-Fordwarded-For that has the IP of the actual client that is connecting. We are running 11.4.1 which has an "Accept XFF" option, but this is disabled. Reading the docs makes it sound like having that option disabled will give us what we need, but it does not work. I also tried adding X-Forwarded-For to the "Request Header Erase" option and it removes all X-Forwarded-For headers even the ones the LTM creates. I can spoof X-Fordwarded-Fors no sweat still. Any bright ideas on how to peel off outside X-Forwarded-Fors?

Hrm, so I copied this into an iRule verbatim and applied it to my Virtual Server as the first rule in line. I then removed the X-Forwarded-For option form my http profile and still the same behavior. What am I missing? Thanks for your help!

Is it that you're injecting additional (spoofed) X-FORWARDED-FOR headers in the client request and still see these arriving at the server?

Yes, that is exactly right. I am using a spoofing plugin via Firefox to insert a spoofed X-Forwarded-For header. Then, in sniffing the traffic coming from the F5, the spoofed headers are still there and Apache is happy to log them. So my machine at 192.168.x.x shows up via X-Forwarded-For as my spoofed IP 1.2.3.4

Perhaps line 5 should be 'insert'?

Prevent X-Forwarded-For spoofing

23 Replies

Bubbagump_12531

Nimbostratus

Oct 30, 2013

I got that, I just don't know how to add the header to the rule. I tried

when HTTP_REQUEST {
foreach x [HTTP::header names] {
    if { [string tolower $x] equals "x-forwarded-for" } {
        HTTP::header remove $x
        HTTP::header replace X-FORWARDED-FOR [IP::client_addr]
    }
    else
      { HTTP::header insert X-FORWARDED-FOR [IP::client_addr]}
}

}

But that tacked on seemingly a zillion headers

Kevin_Stewart

Employee

Oct 30, 2013

Try this:

when HTTP_REQUEST {
    set xff 0
    foreach x [HTTP::header names] {
        if { [string tolower $x] equals "x-forwarded-for" } {
            set xff 1
            HTTP::header remove $x
            HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
        }
    }   
    if { $xff == 0 } {
        HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
    }
}

Bubbagump_12531
Nimbostratus
Oct 30, 2013
Ah, brilliant. That works a peach. Thanks so much for your help on this one!
- uni
  Altostratus
  Oct 31, 2013
  An interesting issue. RFC 2616 section 4.2 says that header names are case insensitive, in which case I think the BigIP HTTP::header replace and remove should be case insensitive too.
- shaggy
  Nimbostratus
  Feb 04, 2014
  According to devcentral's description of HTTP::header, https://devcentral.f5.com/wiki/irules.http__header.ashx, the HTTP::header command should treat header names as case-insensitive.
- eey0re_68979
  Altocumulus
  Sep 04, 2015
  Tested in 11.6.0, [HTTP::header remove "X-Forwarded-For"] is case insensitive and removes all case permutations of the header, avoiding the need for a foreach loop. The original answer above is now sufficient.
Jeffrey_Tacy_47
Nimbostratus
Nov 05, 2013
As far as I know, there's no harm in trying to remove missing headers so this rule can be pretty simple. This is a well-tested rule and should be used without any HTTP profile XFF options:

when HTTP_REQUEST { HTTP::header remove X-Forwarded-For HTTP::header insert X-Forwarded-For [IP::remote_addr] }
- satish_txt_2254
  Cirrus
  Mar 17, 2016
  You nailed it... superb!!!
Abdullah_Okumus
Nimbostratus
Mar 09, 2016
So if you want to deny XFF spoofing attack and see the client IP address at the same time, you have to disable XFF option on HTTP profile and then apply following irule will be enough ?

when HTTP_REQUEST { foreach x [HTTP::header names] { if { $x equals "X-FORWARDED-FOR" } { HTTP::header remove X-FORWARDED-FOR HTTP::header replace X-FORWARDED-FOR [IP::client_addr] } }

}
Abdullah_Okumus
Nimbostratus
Mar 09, 2016
So if you want to deny XFF spoofing attack and see the client IP address at the same time, you have to disable XFF option on HTTP profile and then apply following irule will be enough ?

when HTTP_REQUEST {

foreach x [HTTP::header names] { if { $x equals "X-FORWARDED-FOR" } { HTTP::header remove X-FORWARDED-FOR HTTP::header replace X-FORWARDED-FOR [IP::client_addr] } }

}
- satish_txt_2254
  Cirrus
  Mar 17, 2016
  Yes! it should work!! Even I have XFF enabled in http profile.

Forum Discussion

Prevent X-Forwarded-For spoofing

23 Replies

Recent Discussions

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

iRule resulting in too many redirects

Azure SAML - F5 APM

Related Content

Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

TCP Option 28 X-Forwarded-For Header

X-Forwarded-For on L4 VS

Extracting X-Forwarded-For in Node.js

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers