Forum Discussion

dwillis619_3073's avatar
dwillis619_3073
Icon for Nimbostratus rankNimbostratus
Jun 08, 2017

Remove additional IP from XFF HTTP Header

I setup an LTM VIP with an iRule to XFF the client_addr in the HTTP header to destination but the traffic goes through a WAF. The WAF is adding a second IP to the HTTP Header which is the Float IP of the F5. From The WAF traffic is then sent to another LTM VIP which has the real server in the pool. Our security monitoring is looking at the 2nd IP (F5 Float IP) as client source and is unable to know the first IP is actually the client IP. On the VIP after the WAF I wanted to add an iRule to strip away the 2nd IP (Float IP) in the header. Here is the iRule I am using on initial LTM VIP;

 

when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" } else { HTTP::header insert X-Forwarded-For [IP::client_addr] } }

 

My first thought was use a variation of this iRule on VIP after the WAF but how could I make sure the F5 knows replace with the original client_addr and not the IP from the WAF?

 

application delivery
iRules

17 Replies

Sort By
  • Morten_Marstra1's avatar
    Morten_Marstra1
    Icon for Cirrus rankCirrus
    Jun 12, 2017

    Do you have control of all these devices? If so, is there any reason why you cannot remove the functionality that is inserting an XFF header on the WAF?

     

    That way, you would only have the original client ip in the XFF header.

     

    • dwillis619_3073's avatar
      dwillis619_3073
      Icon for Nimbostratus rankNimbostratus
      Jun 12, 2017

      The issue is with the WAF is it only has the ability to either have XFF enabled which it adds the 2nd IP or turned off and then it does not forward anything.

       

    • Morten_Marstra1's avatar
      Morten_Marstra1
      Icon for Cirrus rankCirrus
      Jun 13, 2017

      Hi,

      You could try this iRule on the backend LTM VIP. I haven't tested it, but it should work, as long as the ip's are split by a ","

      when HTTP_REQUEST {
    if { [HTTP::header exists "X-Forwarded-For"] } {
        set original_ip [getfield [HTTP::header "X-Forwarded-For"] "," 1]
        HTTP::header replace "X-Forwarded-For" original_ip
    }
}
  • Morten_Marstran's avatar
    Morten_Marstran
    Icon for Nimbostratus rankNimbostratus
    Jun 12, 2017

    Do you have control of all these devices? If so, is there any reason why you cannot remove the functionality that is inserting an XFF header on the WAF?

     

    That way, you would only have the original client ip in the XFF header.

     

    • dwillis619_3073's avatar
      dwillis619_3073
      Icon for Nimbostratus rankNimbostratus
      Jun 12, 2017

      The issue is with the WAF is it only has the ability to either have XFF enabled which it adds the 2nd IP or turned off and then it does not forward anything.

       

    • Morten_Marstran's avatar
      Morten_Marstran
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2017

      Hi,

      You could try this iRule on the backend LTM VIP. I haven't tested it, but it should work, as long as the ip's are split by a ","

      when HTTP_REQUEST {
    if { [HTTP::header exists "X-Forwarded-For"] } {
        set original_ip [getfield [HTTP::header "X-Forwarded-For"] "," 1]
        HTTP::header replace "X-Forwarded-For" original_ip
    }
}
  • dwillis619_3073's avatar
    dwillis619_3073
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2017

    when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [substr [IP::client_addr] 0 ","] }