Forum Discussion

henry_kay_36032's avatar
henry_kay_36032
Icon for Nimbostratus rankNimbostratus
Apr 03, 2018

SNAT based on XFF to internet

Hi All,

my company is trying to get LTM to work with ironport proxy. The proxy gateway is pointed to F5 and we have configured a performance L4 virtual server to allow the traffic to passthrough. so far what we observed from our irules, the XFF header is not match properly and it is intermittently having issue.

when HTTP_REQUEST {

set XFF [HTTP::header X-Forwarded-For]
log local0. $XFF

if { [catch {class match [HTTP::header "X-Forwarded-For"] equals abc-address}] } {
log local0. "$XFF hit ABC"
snatpool SNAT_POOL_1.1.1.1
} elseif { [catch {class match [HTTP::header "X-Forwarded-For"] equals def-address}] } {
log local0. "$XFF hit DEF"
snatpool SNAT_POOL_2.2.2.2
} elseif {[class match [IP::client_addr] equals proxy-address]} {
log local0. "not nat. proxy going to internet"
} else
{
log local0. "Not matching any ip. traffic dropped"
drop
}
}

would anyone be able to help advise if it is the rule having issue?

application delivery
explicit forward proxy
iRules
load balance based on snat
LTM

3 Replies

Sort By
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Apr 03, 2018

    Try something like this:

    when HTTP_REQUEST {
    if {[HTTP::header values "X-Forwarded-For"] ne ""}{

        foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
            log local0. "Current XFF element: $xff"
            if { [class match $xff eq abc-address2] } {
                log local0. "$xff hit ABC"
                snatpool SNAT_POOL_1.1.1.1
                return
            }

            if { [class match $xff eq def-address] } {
                log local0. "$xff hit DEF"
                snatpool SNAT_POOL_2.2.2.2
                return
            }
        }
    }
    else {
        log local0. "No X-Forwarded-For header found."
    }

    if {!([class match [IP::client_addr] equals proxy-address])} {
        log local0. "Not matching any ip. traffic dropped"
        drop
    }
}
    • henry_kay_36032's avatar
      henry_kay_36032
      Icon for Nimbostratus rankNimbostratus
      Apr 07, 2018

      when i set it to standard mode, the pool member i set it as the next hope device. however it does not know how to get to the destination (public website)

       

      in tcpdump, the http url destination is removed and the next hop device simply reset the connection.