Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header



If you have a Proxy in front of the BIG-IP and all the client IP are source Natted, You can still restrict access to the Virtual if the client IP address is inserted by the proxy as HTTP Header X-Forwarder-For


  • iRule
  • LTM


This is a example iRule with datagroup to restrict access to a Virtual when the client IP address is inserted on the HTTP Header "X-Forwarder-For"

Recommended Actions

if { [matchclass [HTTP::header "X-Forwarded-For"] equals clients_dg] } {
   set xffHeader "[HTTP::header X-Forwarded-For]"
   log local0. "X-Forwarded-For IP dropped $xffHeader"


ltm data-group internal clients_dg {
    records { { } { } { }   <--------!!!
    type ip

In the above example Client coming from a public IP [] address is source natted by the proxy in front of the BIG-IP. The proxy inserts a HTTP header "X-Forwarded-For".

The above example iRule uses data-group to parse the list of blocked IP addresses.

The BIG-IP will log a message on the /var/log/ltm file as below:

Mar 8 10:48:04 BigIP-UnitE-TMOS-15.test.local info tmm3[12003]: Rule /Common/xff-drop <HTTP_REQUEST>: X-Forwarded-For IP dropped


Additional Information

Published Mar 14, 2023
Version 1.0

Was this article helpful?

1 Comment

  • What about if the X-Forwarder-For has multiple IP addresses as there were several proxy devices that added an IP address to the header with "," for example ","? How can you match on the first IP address in the XFF header?