Forum Discussion

Antonio_Varni's avatar
Antonio_Varni
Icon for Nimbostratus rankNimbostratus
Jan 21, 2008

replace all instances of a HTTP header

How can I replace all instances of a given header?

 

Specifically in my case I am trying to remove all previously set X-Forwarded-For headers before having the LTM inject it's own. The X-Forwarded-For HTTP profile does not do this - it just appends it's own.

 

 

An iRule approach I tried was this:

 

 

when HTTP_REQUEST {

 

HTTP::header replace X-Forwarded-For [IP::remote_addr]

 

 

 

 

This works if there is only 1 previously set X-Forwarded-For header - it replaces it with it's own.

 

 

You see - our application server only uses the first encountered X-Forwarded-For header and ignores the rest.

 

 

I can also write an iRule that deletes X previous copies of X-Forwarded-For before injecting it's own. But - an attacker only needs to specify X+1 headers to effectively spoof/mask their source IP address from our application's perspective.

 

 

A recursive iRule maybe? Or am I missing something basic?

 

 

I may need to find an application fix for this as I can at this point guarantee that the _last_ set X-Forwarded-For header is legit.

 

 

running 9.2.3

 

 

TIA
application delivery
dev
devops
iRules

5 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 21, 2008
    Deb posted a nice solution for this a while back:

    
when HTTP_REQUEST {
    strip all instances of the given header
   while {[HTTP::header exists x-forwarded-for]}{
      HTTP::header remove x-forwarded-for
   }
}

    Aaron
  • Shane_Terrick_9's avatar
    Shane_Terrick_9
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2013

    I know this is an old question but with Deb's answer does that put the source IP in the header instead of the the F5 device

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 25, 2013

    The iRule removes the XFF header from the request. The source address is not usually in an HTTP header unless you inject something like this XFF header. The source address still exists at the device though, at a lower OSI layer.

     

  • TD_DSS_116260's avatar
    TD_DSS_116260
    Icon for Nimbostratus rankNimbostratus
    Nov 25, 2013

    I use the below rule and successfully end up with our clients IP address. This will check for any pre-existing XFF, remove it, and then add the IP of the incoming request. It's a bit wasteful (why not just wipe out the XFF regardless of if it is there or not?) though.

        when HTTP_REQUEST {
    if {[HTTP::header exists X-Forwarded-For]}
    {
    HTTP::header remove X-Forwarded-For
    HTTP::header insert X-Forwarded-For [IP::remote_addr]
    } else {  
    HTTP::header insert X-Forwarded-For [IP::remote_addr]
    }}