AKAMAI True-Client-IP

is apache's default gateway bigip?

 

if yes, can we just snat to true-client-ip's value when sending traffic to apache?

 

I have a SNAT setup for my OUTBOUND TRAFFIC to route out through this 1 IP... it has always been this way...

 

Yes, my Gateway on all of my Web Servers is set to the LTM-3400 192.168.1.1

 

True-client-IP is just a header, so you should either be able to:

 

1. Send it to syslog

    

   log local0. "[IP::client_addr]:[TCP::client_port]: True-Client-IP: [HTTP::header value True-Client-IP]"

    

2. And/or just let the header pass through the BIG-IP to Apache.

    

How would I do this?

 

in an iRule?

 

an http profile?

 

If an iRule, can you post code?

 

Many thanks.

 

When I created and enabled a HTTP profile called Akamai-true-client-ip (*** with everything DISABLED inside of it ****)

and then created this iRule below and enabled it:

when HTTP_REQUEST {

Check if the True-Client-IP HTTP header has an IP address if {not ([catch {IP::addr [HTTP::header True-Client-IP] mask 255.255.255.255}])}{

   No error parsing the header as an IP address, so use it for SNATing
  snat [HTTP::header True-Client-IP]

} }

The correct END USER IP is now being passed from Akamai to my Apache Web Servers.

So it looks good, but I have a few questions:

1. Are there any performance issues I may now face since I turned on an HTTP Profile?

   I have never used one before....

2. Under General Properties - it says Name and Parent Profile, for Parent Profile it is http

Does it use any of the variables from the http since it is the one selected in the drop down? But when you go to Settings for my new HTTP profile, I have everything disabled.

I just want to make sure that I am not going to get any performance issues having set it up in this way.....

Thanks.

Are there any performance issues I may now face since I turned on an HTTP Profile?

 

if your unit is not under heavily loaded, i think it is pretty okay.

 

Does it use any of the variables from the http since it is the one selected in the drop down? But when you go to Settings for my new HTTP profile, I have everything disabled.

 

disabling means to use setting in parent profile (i.e. http).

 

General Properties Name: Parent Profile: http

 

Then it goes into Settings

 

I have everything grayed out so it does not use any settings.

 

I do not want it to use the settings from the main http profile it has OneConnect turned on, Reponse Chuning to Selective, and Maximum Header Size and other features I have never used or turned on.

 

I thought if I setup a brand new HTTP profile and called it something else other than http and enabled that one to use for my VIP and kept the settings off inside of it that it would not use anything from 'http'

 

I do not want it to use the settings from the main http profile it has OneConnect turned on, Reponse Chuning to Selective, and Maximum Header Size and other features I have never used or turned on.

 

in that case, you cannot use http profile and have to parse tcp payload (http header) yourself (e.g. TCP::collect).

 

How would I do that?

 

Also, if I go into http can I just disable those other features

 

such as:

 

Cookie Encryption Passphrase Confirm Cookie Encryption Passphrase Maximum Header Size 32768 bytes Pipelining - just set to Disable Insert X-Forward-For - just set to Disable LWS Maximum Columns is set to 80 - what is unlimited 0 ?

 

Compression is set to Disabled URI Compression Not Configured Content Compression Content List Include List text/ application(xml|x-javascript) Preferred Method: gzip Minimum Content Length: 1024 bytes Compression Buffer Size: 4096 byes gzip Compression Level - 1- Least Compression (Fastest) gzip Memory Level - 8 kilobytes gzip Windows Size - 16 kilobytes Vary Header is CHECKD to Enabled CPU Saver is also Checked to ENABLE CPU Saver High Threshold 90% CPU Saver Low Threshold 75%

 

Ram Cache: Disabled So even though I see variables under it, does that mean they are being ignored for Ram cache since it says Disabled? (they are not grayed out though)

 

If you just use a new HTTP profile with no options ticked on the right hand side it is not changing any traffic as it passes through the F5. The only reason you need this profile is so the iRule has access to layer seven application traffic. Without it you cannot use the HTTP::header commands.

 

However using the SNAT command the way you have means you have changed the source IP address to that of the clients direct address. This means any return traffic will go directly back to the client and not the Akami server. If the client is not expecting this traffic it will be dropped so make sure that is your intention.

 

A better way would be to get Apache to log the specific header for you in its logs. Then you don't need an iRule, you don't even need a HTTP profile. See http://goo.gl/FxuChE for an example.