Last week, we looked at how to do Selective
Compression on BIG-IP with a local
traffic policy so this week let’s try something security related using the
same procedures.
You can associate a BIG-IP local traffic policy to prevent a
spoof of an x-forwarded-for request. This is where bad actors might attempt to
thwart security by falsifying the IP address in a header, and pass it through
the BIG-IP system.
Pre-reqs:
- We’re using BIG-IP v12 and,
- We already have a
Virtual Server configured to manage HTTP traffic with an HTTP profile
assigned to it.
Let’s log into a BIG-IP
The first thing we’ll need to do is create a draft policy.
On the main menu select Local
Traffic>Policies>Policy List and then the Create or + button.
This takes us to the create policy config screen. Type a
unique Policy Name like PreventSpoofOfXFF
and optionally, add a description. Leave the Strategy at the default of Execute First matching rule. Click Create Policy.
We’re then directed to the draft policy’s General Properties
page and here we can create the rules for the policy. In the Rules area, click Create.
We’ll give the rule a unique name like, StopSpoof and the first condition we need to configure is to match
all HTTP traffic with the matching strategy. This means we can use the default
setting of All Traffic. Then we’ll
tell the policy what to do when the All
Traffic condition matches. The new action is to Replace the http header
named X-forwarded-for with the value
of tcl:[IP::client_addr] (to return the client IP address of the connection) at
the request time. Click Save.
Also, save the draft.
And then select the box next to the draft policy and click Publish.
We can now associate the published policy with a virtual
server that we’re using to manage http traffic. On the main menu click Local
Traffic>Virtual Servers>Virtual Server List and click the name of the
virtual server you’d like to associate for the policy.
On the menu bar click Resources
and next to Policies click Manage.
Move PreventSpoofOfXFF
to the Enabled list and click Finished.
Now, the virtual server with the PreventSpoofOfXFF local traffic policy will prevent any HTTP
traffic that attempts to spoof an x-forwarded-for request.
Congrats! You’ve easily added additional security to your
local traffic policy! You can also watch the full video demo thanks
to our TechPubs team.
ps