Bug ID 497376: Wrong use of custom XFF headers when there are multiple matches

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM, AVR(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Dec 18, 2014
Severity: 3-Major

Symptoms

A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.

Impact

The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.

Conditions

1. Configuring at least one custom XFF header in the HTTP profile. 2. The incoming request has at least 2 headers that match the custom headers. 3. The DB variable avr.alwaysuselastxff is set to 0.

Workaround

It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.

Fix Information

The desired XFF header is taken as the one that represents the HTTP request IP address.

Behavior Change