Forum Discussion

veredgfbll's avatar
Mar 10, 2024

xff and geolocation

If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations?

If not with ltm policy, can this be done with an irule?

 

thanks,

 

Vered

  •  

     

    User

    If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations?

     

    If not with ltm policy, can this be done with an irule?

     

    Using the X-Forwarded-For (XFF) header to determine the source IP address can be helpful, but the LTM policy itself won't have built-in functionality to directly recognize the geolocation of the IP addresses extracted from the XFF header. However, you can achieve this functionality with iRules.

     

    Here's a general approach using an iRule:

     

    Extract the client IP address from the XFF header.

    Use a geolocation lookup service or database (e.g., MaxMind GeoIP) to determine the country associated with the extracted IP address.

    Implement logic in the iRule to exclude requests coming from the specified country from the DoS L7 policy.

    An iRule allows for more flexible and custom scripting, enabling you to manipulate traffic based on various conditions, including the XFF header and geolocation data. Below is a simplified example of how you might implement this:

     

    tcl

    Copy code

    when HTTP_REQUEST {

        set xff_header [HTTP::header "X-Forwarded-For"]

        if { $xff_header ne "" } {

            # Extract the client IP address from the XFF header

            set client_ip [lindex [split $xff_header ","] 0]

            # Perform geolocation lookup for the client IP address

            set country [geo::ipcountry $client_ip]

            # Check if the request is coming from the excluded country

            if { $country eq "Excluded_Country_Code" } {

                # Exclude requests from the excluded country

                reject

                return

            }

        }

        # If not from the excluded country, continue processing the request

        # Add other logic or actions here

    }

    Replace "Excluded_Country_Code" with the appropriate country code for the country you want to exclude from the DoS L7 policy.

     

    Keep in mind that implementing such logic can add complexity to your configuration, and you should thoroughly test and validate the iRule to ensure it behaves as expected and does not inadvertently block legitimate traffic. Additionally, consider the performance impact of using iRules,

     especially if they are processing a large volume of traffic.

     

     

     

     

    • veredgfbll's avatar
      veredgfbll
      Icon for Cirrus rankCirrus

      Thank you very much. I will test this irule. I can already say that the LTM policy does not recognize geolocation from xff IPs, so this may be our only option.

      Thanks

      • veredgfbll's avatar
        veredgfbll
        Icon for Cirrus rankCirrus

        I made some changes as I didn't find any command the was geo::ipcountry.

        when HTTP_REQUEST {
            set xff_header [HTTP::header "X-Forwarded-For"]
            if { $xff_header ne "" } {
                # Extract the client IP address from the XFF header
                set client_ip [lindex [split $xff_header ","] 0]
                # Check if the request is *not* coming from the excluded country
                if {!([whereis $client_ip country] equals "country_code") } {
                    # enable dos profile
                    DOSL7::enable dos
                    #return
        		} else {
        			DOSL7::disable
                }
            }
           }

        I need to test it....
        Will update.

  • veredgfbll Sadly I am not familiar enough with ltm policies to say if you can or cannot do this. You should be able to do this with an iRule but it will become a bit tricky if your XFF has multiple IP entries that could range from single to any number of IPs in that header field.