Multiple XFF headers

Question

We have a situation where it may be possible for one LTM to insert the XFF and load-blance the packets to another LTM with another XFF set. 
&nbsp;  
&nbsp; I would like to have an iRule the checks for the existence of the XFF header and if it exists then do nothing... else add it in. This is waht I have but it doesn't seem to be working correctly, I am still getting 2 XFF headers in the payload. 
&nbsp;  
&nbsp; Any help would be appreciated 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   if {  
&nbsp;     [HTTP::header exists "X-Forwarded-For"]  
&nbsp; } 
&nbsp; { 
&nbsp;  Do nothing 
&nbsp;  } 
&nbsp; else 
&nbsp;  { 
&nbsp;     HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
&nbsp;   } 
&nbsp; }

dennypayne · Answer

I would try using "return" to exit from the HTTP_REQUEST event.

when HTTP_REQUEST {    
        if {[HTTP::header exists "X-Forwarded-For"]}    
          return     
       } else {    
          HTTP::header insert "X-Forwarded-For" [IP::client_addr]    
        }    
    }

Denny 
  
 EDIT: removed extra bracket

deb_allen_18 · Answer

HTTP::header replace will add replace the specified header if it's already there, or add it if it is not. 
&nbsp;  
&nbsp; /d

hooleylist · Answer

I assume you've disabled XFF on the HTTP profile on the second set of LTM's? 
  
 You could also try logging what's happening:

when HTTP_REQUEST { 
    if {[HTTP::header exists "X-Forwarded-For"]}{ 
        Do nothing 
       log local0. "[IP::client_addr]:[TCP::client_port]: Existing XFF: [HTTP::header values "X-Forwarded-For"]" 
    } else { 
       HTTP::header insert "X-Forwarded-For" [IP::client_addr] 
       log local0. "[IP::client_addr]:[TCP::client_port]: Added XFF: [HTTP::header values "X-Forwarded-For"]" 
    } 
 }

Aaron

colin_walker_12 · Answer

Don't forget that you don't really need a "do nothing" section of the rule at all.  You can accomplish the same thing with negative logic. 
&nbsp;  
&nbsp;  
 when HTTP_REQUEST {  
   if { !([HTTP::header exists "X-Forwarded-For"])}{  
     HTTP::header insert "X-Forwarded-For" [IP::client_addr]  
     log local0. "[IP::client_addr]:[TCP::client_port]: Added XFF: [HTTP::header values "X-Forwarded-For"]"  
   }  
 }  
  
&nbsp;  
&nbsp; Not that it matters a ton in this case, but in longer, more complex scenarios, this can save a fair amount of code.  Also, the header replace option is a good one, that way you should only ever end up with one. This is only an option if you aren't trying to preserve a previous XFF header though, obviously. 
&nbsp;  
&nbsp; Colin

kevin_nail · Answer

Thanks for all the help... I added the 'return' word and some quotes around the "X-Forwarded-For" value... It works just fine now.

Forum Discussion

Multiple XFF headers

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

XFF Header Persistence iRule

XFF Universal Persistence iRule

F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP headers

XFF replace iRule help