Forum Discussion
D__Charles_Shid
Nimbostratus
NimbostratusAkamai, True-Client-IP, and fun with logging
Hi all!
This is my first post here, so please be gentle. I really did run searches for this, but kept coming up zero. My problem is this: my client is considering using Akamai to improve customer experience, but has a need or getting the actual client IP in the IP header, not in the True-Client-IP field with which Akamai tags it's proxied requests. Rewriting the logging is a several-month development affair and my customer wants to see if the F5 can finagle things with an iRule to make it work. Is this even feasible? I am pretty sure I can strip the True-Client-IP value out and rewrite the packet header to look like it came from the original client itself (I still have my doubts), but what's going to happen to the return traffic? Do I have to manually update a connection table entry, or is this going to just fall flat on it's face?
Daniel
2 Replies
hoolioCirrostratus
Hi Daniel,
You could translate the source address on serverside connections to the True-Client-IP header value. The web servers' default gateway would need to be the LTM floating self IP though for this to work. You wouldn't need to do any manual "untranslation" as long as LTM gets the response.when HTTP_REQUEST { Check if the True-Client-IP HTTP header has an IP address if {not ([catch {IP::addr [HTTP::header True-Client-IP] mask 255.255.255.255}])}{ No error parsing the header as an IP address, so use it for SNATing snat [HTTP::header True-Client-IP] } }
Aaron- hoolioI haven't tested this, but I think you'd also want to configure a 255.255.255.255 source mask OneConnect profile and add that to the virtual server to force LTM to open a new serverside connection if you assign a new SNAT address per HTTP request on the same clientside TCP connection.
Edit: after testing without a OneConnect profile, it looks like using the SNAT command forces a new serverside connection to be opened if the source IP is changing.
Aaron
