Forum Discussion
hooleylist
Apr 10, 2008Cirrostratus
Ideally, matching on the source IP against a list of hosts/networks would be an option on the HTTP class filters. There is an existing 'request for enhancement' asking for this functionality. It would be good to open a case with F5 Support (websupport.f5.com) and ask them to attach your case to the existing request.
Inserting an XFF header and then using that for HTTP class matching is an interesting idea for how to select an HTTP class based on the client IP address. It does seem to work, if you enable the insertion of XFF or a custom header on the HTTP profile. A filter you can use on the HTTP class is:
Pattern (not regex): X-Forwarded-For: 192.168.*
This worked in a quick test.
However, from a security standpoint, it would be better to use an iRule to remove all instances of the header name you're going to use and then insert the client IP address in the header. This ensures that a malicious client couldn't affect the class selection by inserting their own value in the header. Here's an example:
when HTTP_REQUEST {
Insert a test header value to verify it's removed by this rule (remove this after testing)
HTTP::header insert name "X-Forwarded-For" value hacked_value
Log the current header names
log local0. "\[HTTP::header names\]: [HTTP::header names]"
Remove all instances of the existing headers
while {[HTTP::header exists x-forwarded-for]}{
log local0. "Current value: \[HTTP::header value x-forwarded-for\]: [HTTP::header value x-forwarded-for]"
Remove the current header
HTTP::header remove x-forwarded-for
log local0. "\[HTTP::header names\]: [HTTP::header names]"
}
Insert the actual client IP address in the header
HTTP::header insert name "X-Forwarded-For" value [IP::client_addr]
}
Also, this string matching approach only allows you to match on class A, B, C or hosts. If you wanted to do a more precise match, you could define the hosts/networks in a datagroup, check the client IP address against the class using matchclass (Click here) and then manually select the corresponding HTTP class in an iRule using the HTTP::class command (Click here). Note that any HTTP class you specify must already be configured as a resource of the virtual server. If you take this route and want an example, let us know.
Thanks,
Aaron