Remove additional IP from XFF HTTP Header
I setup an LTM VIP with an iRule to XFF the client_addr in the HTTP header to destination but the traffic goes through a WAF. The WAF is adding a second IP to the HTTP Header which is the Float IP of the F5. From The WAF traffic is then sent to another LTM VIP which has the real server in the pool. Our security monitoring is looking at the 2nd IP (F5 Float IP) as client source and is unable to know the first IP is actually the client IP. On the VIP after the WAF I wanted to add an iRule to strip away the 2nd IP (Float IP) in the header. Here is the iRule I am using on initial LTM VIP;
when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" } else { HTTP::header insert X-Forwarded-For [IP::client_addr] } }
My first thought was use a variation of this iRule on VIP after the WAF but how could I make sure the F5 knows replace with the original client_addr and not the IP from the WAF?