Forum Discussion
Kai_Wilke
Feb 10, 2016MVP
Hi Parknook,
I share your opinion, to not use the HTTP profile "Insert X-Forwarded-For" option, when security is somehow a concern.
But keep in mind that a
replace
header action is also not the right choice to sanitize every existing instance of X-Forwarded-For
from the received HTTP request. The replace
action would only modify the last occurrence of X-Forwarded-For
but your application may use the first one. So a combination of remove
and insert
is the most secure syntax you can pull of...
To be able to set those headers with LTM Policies prior to v12, you may pass a
[HTTP::header remove "X-Forwarded-For"]
and [HTTP::header insert "X-Forwarded-For" [IP::client_addr]]
syntax using the TCL policy action. Well, the TCL action is originally not intended to manipulate request information, but works like a charm and also supports a rich TCL substitution...
ltm policy Insert_X-Forwarded-For {
requires { http }
rules {
Rule1 {
actions {
0 {
tcl
set-variable
expression "[HTTP::header remove \"X-Forwarded-For\"]"
name x_forward_for
}
1 {
tcl
set-variable
expression "[HTTP::header insert \"X-Forwarded-For\" [IP::client_addr]]"
name x_forward_for
}
}
ordinal 1
}
}
strategy first-match
}
Note: Personally I wouldn't recommend to use a LTM Policy to issue native TCL commands. But if you require a pure LTM Policy based configuration, then this approach would be one of the last options before migrating to v12...
Cheers, Kai