Manual Chapter : Example: Preventing a spoof of an x-forwarded-for request

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Example: Preventing a spoof of an x-forwarded-for request

You can create a local traffic policy to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system.

Examples

Creating a policy to prevent a spoof of an x-forwarded-for request: video example

You can associate a BIG-IP local traffic policy with a virtual server to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.
You can also visit our DevCentral YouTube channel to see this video. Use any of these ways:
  • Copy and paste the above URL into your browser window.
  • Use your browser to search for this video using the title
    F5: Creating a local traffic policy to prevent a spoof of an x-forwarded-for request
    .
When you have completed the task shown in the video, the policy is associated with a virtual server.

Preventing a spoof of an x-forwarded-for request: tmsh example

This topic provides a
tmsh
command to list the configured settings for a policy to prevent a spoof of an x-forwarded-for request. This is a request where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. This topic also provides a
tmsh
command to list the configured virtual server settings.
(tmos)# list ltm policy PreventSpoofOfXFF ltm policy SelectiveCompression{ controls { compression } description "This policy prevents a spoof of an x-forwarded-for request." last-modified 2016-03-02:11:46:00 requires { http } rules { StopSpoof { actions { 0 { http-header replace name X-foRWardED-for value tcl:[IP::client_addr] } } } } status published strategy first-match } (tmos.ltm.virtual)# list ltm virtual HTTP-VS3 ltm.virtual.HTTP-VS3{ destination 10.10.0.41:http ip-protocol tcp mask 255.255.255.255 policies { PreventSpoofOfXFF { } } profiles { http { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 4 }

Preventing a spoof of an x-forwarded-for request: iRules example

This topic provides an example of
iRules
code that is equivalent to a policy that prevents a spoof of an x-forwarded-for request. This is a situation where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. This example replaces a request that includes an x-forwarded-for header with the actual client IP address.
when HTTP_REQUEST { set xff 0 foreach x [HTTP::header names] { if { [string tolower $x] equals "x-forwarded-for" } { set xff 1 HTTP::header remove $x HTTP::header insert X-FORWARDED-FOR [IP::client_addr] } } if { $xff == 0 } { HTTP::header insert X-FORWARDED-FOR [IP::client_addr] } }