Forum Discussion
ChadBigIP_14663
Nimbostratus
NimbostratusAKAMAI True-Client-IP
I am having issues passing the True-Client-IP from AKAMAI.
They pass the end users IP via a variable called True-CLient-IP
Does anyone know an easy way to be able send the end users IP to Apache so that correct logging of the users IP address is recorded rather than AKAMAI's ?
Thanks.
nitassEmployee
How would I do that?
e.g.
[root@ve11a:Active:Changes Pending] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.20.111:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vs-index 28 } [root@ve11a:Active:Changes Pending] config tmsh list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } [root@ve11a:Active:Changes Pending] config tmsh list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [TCP::payload] starts_with "GET" } { set snat_cmd "snat [findstr [TCP::payload] "True-Client-IP" 16 \r\n]" eval $snat_cmd } TCP::release TCP::collect } } packet trace i.e. source 172.28.20.17 is translated to 1.1.1.1 when sending to pool member/server 200.200.200.101 [root@ve11a:Active:Changes Pending] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.20.17(34623) <-> 172.28.20.111(80) 1377937424.0187 (0.0010) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.20.111 Accept: */* True-Client-IP: 1.1.1.1 --------------------------------------------------------------- New TCP connection 2: 1.1.1.1(34623) <-> 200.200.200.101(80) 1377937424.0216 (0.0028) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.20.111 Accept: */* True-Client-IP: 1.1.1.1 ---------------------------------------------------------------anyway, i think using http profile is easier. alternative solution is what kevin suggested.
ChadBigIP_14663I am using SNAT Translations configured for OUTBOUND traffic, and it always went out through 1 IP.
It was setup that way from the beginning.
So what you are saying is that with the new config the way I set it up, it will still use my current SNAT Translation and send outbound traffic via my SNAT?
I just went in to see the statistics and there are active connections on the SNAT
Is doing it this way more convoluted and could cause connectivity issues since I am using a new HTTP profile and iRule?
Is the Apache log option a more optimized way of doing it?
I copied it below:
LogFormat "%v %{CF-Connecting-IP}i (via cloudflare:%h) %l %u %t \"%r\" %>s %b" cloudflare CustomLog "|rotatelog.. etc" cloudflare
So all I have to do is enter the above line, and replace CF-Connection-IP with True-Connect-IP and it should work?
Kevin_Davies_40Nacreous
Yes.- ChadBigIP_14663Yes to both questions above? So what you are saying is that with the new config the way I set it up, it will still use my current SNAT Translation and send outbound traffic via my SNAT? LogFormat "%v %{CF-Connecting-IP}i (via cloudflare:%h) %l %u %t \"%r\" %>s %b" cloudflare CustomLog "|rotatelog.. etc" cloudflare So all I have to do is enter the above line, and replace CF-Connection-IP with True-Connect-IP and it should work?
- Kevin_Davies_40Yes to the second question.
- ChadBigIP_14663
if I kept it with the http profile and iRule are there any performance issues I am facing?
Should I turn off OneConnect Transformations ? Should I turn off Pipelining? Should I turn off Insert-X-Forward-For ? What about LWS Maximum Columns that is set to 80 ?
Compresion is set to Disabled URI Compression is set to Not Configured
Should I make some tweaks to 'http' for better performance?
- Kevin_Davies_40Nothing is turned on unless you choose it in the HTTP profile. In regards to One Connect, if you are serving web pages then F5 recommend it as it optimizes the back end connections significantly. However you should test it and make sure it causes no issues with your application.
- ChadBigIP_14663
in my Apache config, I have this:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent
Do I append to it, or remove it with this?
LogFormat "%v %{True-Connect-IP}i (via akamai:%h) %l %u %t \"%r\" %>s %b" akamai CustomLog "|rotatelog.. etc" akamai
what else do I need to modify? The actual Virtual Host Directives for each domain that is hosted in that httpd.conf file , or is having it outside of the Virtual Host going to act as global settings for how the logs are handled/written/recorded... ?
Thanks.
- Kevin_Davies_40I think you will find this link will show you of an example of someone updating logs to to this [http://goo.gl/t9CxPg](http://goo.gl/t9CxPg)
- Kevin_Davies_40The correct link is http://goo.gl/t9CxPg
- ChadBigIP_14663would that be the more efficient and optimized way of doing it? rather than putting the load on the F5 LTM-3400? or does it not really matter, it is just preference?
- ChadBigIP_14663
Can I set these as global variables so I do not have to modify 50 Virtual Host Directives across 10 servers?
Or do I have to include them into each Virtual Host Directive?
Is there a way to put them outside of the Virtual Host so that ALL Virtural Host directives for ALL domains will pick up the True-Client-IP?
see below from the site:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{True-Client-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf True-Client-IP "^......." forwarded
- Kevin_Davies_40
As I understand apache2 the Virtualhost logging directives override the global logging directive, Eg the one that's not in the virtualhost configuration. Leave them out and they use the global by default.