Manual Chapter : Example Preventing a spoof of an x-forwarded-for request

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

You can create a local traffic policy to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP® system.

Examples

Creating a policy to prevent a spoof of an x-forwarded-for request: video example

You can associate a BIG-IP® local traffic policy with a virtual server to prevent a spoof of an x-forwarded-for request. This is a security issue where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.

Watch how to create a policy to prevent a spoof of an x-forwarded-for request

You can also visit our DevCentral™ YouTube channel to see this video. Use any of these ways:

  • Click this URL: https://youtu.be/QrQxjt4-e4k.
  • Copy and paste the above URL into your browser window.
  • Use your browser to search for this video using the title F5: Creating a local traffic policy to prevent a spoof of an x-forwarded-for request.
When you have completed the task shown in the video, the policy is associated with a virtual server.

Preventing a spoof of an x-forwarded-for request: tmsh example

This topic provides a tmsh command to list the configured settings for a policy to prevent a spoof of an x-forwarded-for request. This is a request where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP® system. This topic also provides a tmsh command to list the configured virtual server settings.

(tmos)# list ltm policy PreventSpoofOfXFF 
ltm policy SelectiveCompression{
    controls { compression }
    description "This policy prevents a spoof of an x-forwarded-for request."
    last-modified 2016-03-02:11:46:00
    requires { http }
    rules {
        StopSpoof {
            actions {
                0 {
                    http-header
                    replace
                    name X-foRWardED-for
                    value tcl:[IP::client_addr]
                }
            }
        }
    }
    status published
    strategy first-match
}

(tmos.ltm.virtual)# list ltm virtual HTTP-VS3
ltm.virtual.HTTP-VS3{
    destination 10.10.0.41:http
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        PreventSpoofOfXFF { }
    }
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 4
}

Preventing a spoof of an x-forwarded-for request: iRules example

This topic provides an example of iRules code that is equivalent to a policy that prevents a spoof of an x-forwarded-for request. This is a situation where attackers might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP® system. This example replaces a request that includes an x-forwarded-for header with the actual client IP address.

when HTTP_REQUEST {
    set xff 0
    foreach x [HTTP::header names] {
        if { [string tolower $x] equals "x-forwarded-for" } {
            set xff 1
            HTTP::header remove $x
            HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
        }
    }   
    if { $xff == 0 } {
        HTTP::header insert X-FORWARDED-FOR [IP::client_addr]
    }
}