Applies To:
Show Versions
BIG-IP LTM
- 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.2, 14.1.0, 14.0.1, 14.0.0
Example: Preventing a spoof of an x-forwarded-for request
You can create a local traffic policy to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP® system.
Examples
Creating a policy to prevent a spoof of an x-forwarded-for request: video example
You can associate a BIG-IP local traffic policy with a virtual server to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.
Watch how to create a
policy to prevent a spoof of an x-forwarded-for request
You can also visit our DevCentral YouTube channel to see this video. Use any of these ways:
- Click this URL: https://youtu.be/QrQxjt4-e4k .
- Copy and paste the above URL into your browser window.
- Use your browser to search for this video using the title F5: Creating a local traffic policy to prevent a spoof of an x-forwarded-for request.
Preventing a spoof of an x-forwarded-for request: tmsh example
This topic provides a tmsh command to list the configured settings for a policy to prevent a spoof of an x-forwarded-for request. This is a request where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. This topic also provides a tmsh command to list the configured virtual server settings.
(tmos)# list ltm policy PreventSpoofOfXFF
ltm policy SelectiveCompression{
controls { compression }
description "This policy prevents a spoof of an x-forwarded-for request."
last-modified 2016-03-02:11:46:00
requires { http }
rules {
StopSpoof {
actions {
0 {
http-header
replace
name X-foRWardED-for
value tcl:[IP::client_addr]
}
}
}
}
status published
strategy first-match
}
(tmos.ltm.virtual)# list ltm virtual HTTP-VS3
ltm.virtual.HTTP-VS3{
destination 10.10.0.41:http
ip-protocol tcp
mask 255.255.255.255
policies {
PreventSpoofOfXFF { }
}
profiles {
http { }
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 4
}
Preventing a spoof of an x-forwarded-for request: iRules example
This topic provides an example of iRules code that is equivalent to a policy that prevents a spoof of an x-forwarded-for request. This is a situation where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. This example replaces a request that includes an x-forwarded-for header with the actual client IP address.
when HTTP_REQUEST {
set xff 0
foreach x [HTTP::header names] {
if { [string tolower $x] equals "x-forwarded-for" } {
set xff 1
HTTP::header remove $x
HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
}
}
if { $xff == 0 } {
HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
}
}
