Forum Discussion

jzitnik's avatar
jzitnik
Icon for Nimbostratus rankNimbostratus
Aug 15, 2024

Header injection rule

Hello everyone.

I need to make a rule that injects a header value based on the presence of specific client side IP addresses 192.168.0.1, 192.168.0.2, 192.168.0.3 Etc..

 

What I think it would be is something like:

when HTTP_REQUEST {
       if { [HTTP::host] eq "hostname" }{
       pool POOL_NAME
       }

 

and then an if statement with the allowed IPs

Don't know if I need the X-Forwarded-For value here?

 

and then HTTP::header insert "valuename" "allow"

 

We have a proxy on the back end that will read the value and allow access to the backend server based on the presence of the "allow" value in the header injection.

 

Sorry, My F5 skills are basic at best.

  • I believe the following should work for you and you shouldn't need X-Forwarded-For.

    when HTTP_REQUEST priority 500 {
    
        if { [class match -- [IP::client_addr] equals "datagroup_name" ] } {
            HTTP::header insert proxy_action "trusted"
        }
    
        if { [HTTP::host] eq "myhost.mydomain.com" } {
            pool MYPOOL
        }
    
    }

     

  • If your backend need to get actual source ip address, please allow x-forward-for n http profile 

    If any specific ips only need to pool, you have to create source group or create a irule for the allow

  • Hi,

     

    Do you want only need to allow specific ips or need to allow all ips and need to add header on specific ips 

    If you want to allow only specific ips, then create a source group and add custom header in http profile. Use below article 

    https://my.f5.com/manage/s/article/K57354286

  • I see that article.  I see how to insert a custom header.  I don't see how to insert a custom header based on the client request of a specific address. 

    If host = mypubliccnametoaddress.mydomain.com

    if address is member of address group

    insert value

    We're already getting the X-Forward-For address, what we need to do is look at that address, and if the X-Forward-For address matches the four addresses we want to allow, and the traffic is bound for a specific pool, insert a value.  If not, do nothing.  Once the traffic passes through the F5, our proxy looks for the inserted value and allows or denies based on the request.

  • Would this irule work?

    when HTTP_REQUEST {
           if { [HTTP::host] eq "myhost.mydomain.com" } {
           pool MYPOOL
           }
           if { [IP::addr [IP::client_addr] equals "datagroup_name" ] } {
            HTTP::header insert "valuename" "trusted"
            }

     

    If the client_addr comes from X-Forward-For and there is a data group named datagroup_name and an ip address is in that group, will it add "trusted"

  • sorry I think this should be 

    when HTTP_REQUEST {
           if { [HTTP::host] eq "myhost.mydomain.com" } {
           pool MYPOOL
           }
           if { [class match [IP::client_addr] equals "datagroup_name" ] } {
            HTTP::header insert "valuename" "trusted"
            }

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      I believe the following should work for you and you shouldn't need X-Forwarded-For.

      when HTTP_REQUEST priority 500 {
      
          if { [class match -- [IP::client_addr] equals "datagroup_name" ] } {
              HTTP::header insert proxy_action "trusted"
          }
      
          if { [HTTP::host] eq "myhost.mydomain.com" } {
              pool MYPOOL
          }
      
      }

       

      • jzitnik's avatar
        jzitnik
        Icon for Nimbostratus rankNimbostratus

        What do the two "--" do after the class match?

    • Aswin_mk's avatar
      Aswin_mk
      Icon for Cumulonimbus rankCumulonimbus

      Is it worked after applying irules. Please let me know the working status

       

      Br

      Aswin 

      • jzitnik's avatar
        jzitnik
        Icon for Nimbostratus rankNimbostratus

        The irule worked.  We had a check on the proxy that allowed or denied based on the value and it worked.  We had a different issue that caused a different problem, although it did help us figure out another issue we were not aware of.  Thanks everyone for your help.