How to configure Duo Two-Factor Authentication with Sub-Virtual Services

When a web application requires the IP address of the client, either transparency or the X-Forwarded-For feature can be used in the LoadMaster.

The most important issue is that the IP address of the client connecting to the web server is always that of the LoadMaster and not of the connecting client.

The user connects to the LoadMaster and the LoadMaster connects to the web application; therefore, the web application always sees the same IP address.

IP addresses are used for all kinds of security measures. They are used for seeding secret strings in cookies in PHP. They are used for performing flood detection. They are used for brute force detection and lockouts. IP addresses are used all the time. But what happens when all the IP addresses look the same?

To work around that, there is a header called X-Forwarded-For, that can look like a lot of random things. It can look like any of the following:



X-Forwarded-For:,, 2001:0db8:85a3:0000:0000:8a2e:0370:7334


X-Forwarded-For: localhost,

Because it is an optional header, it can contain random things. Sometimes those things are real IP addresses and sometimes it just contains garbage. Either way, the X-Forwarded-For header is the best header to use to include the client’s source IP address.

The LoadMaster appends the IP address of the user that is connecting to the end of the X-Forwarded-For header that is received (or create a new string if there is not one already) and pass that to the web-server.

The web-server then takes that information and parses apart the string to grab the last IP address and intelligently replaces the IP address of the proxy with the IP address listed in the X-Forwarded-For header.

Creating a content rule on the LoadMaster removes all data that precedes the last IP address that is in the X-Forwarded-For header making it easier for the web server to parse the X-Forwarded-For header.


Rule Type:                                                      Replace Header

Header Field:                                                  X-Forwarded-For

Match String:                                                  /.*,\s*(.*)/

Value of Header Field to be replaced:           \1

Apply the rule to the Virtual Service under Advanced Properties > HTTP Header Modifications > Request Rules.


This rule works best if the LoadMaster is configured to inject the X-Forwarded-For header:

System Configuration > Miscellaneous Options > L7 Configuration > Additional L7 Header > X-Forwarded-For


If the LoadMaster is not injecting this header, and the LoadMaster receives a request that contains the the X-Forwarded-For header, it simply passes it along to the web server.  To mitigate this, create a content rule to delete the X-Forwarded-For header.


Was this article helpful?

0 out of 0 found this helpful