The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.To enable the X-Forwarded-For option in the Load Balancer, you can use a http profile or an iRule based on this article: https://my.f5.com/manage/s/article/K4816Will the deployment cause a glitch? Is this possible through script to simultaneously configure multiple VS?

Enabling this via profile won't cause an interuption. Via iRule shouldn't if you don't make any mistakes. Yes you can script this. But some experience with them is probably useful before just doing that in production.

Hi lttarvina, first read this: K4816 - Enabling the Insert X-Forwarded-For option in the HTTP profile lets say all your virtuals have the default http profile, named http. And, following the process described above, you create a new profile called pr_http_xff. This command should replace the profile called http with your new profile pr_http_xff on all virtuals. tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh modify ltm virtual vs_name profiles add { pr_http_xff } profiles delete { http http } This is the same what boneyard suggests, but not for one but for many virtuals. I took this from my notes and didn't test it in my lab. Therefore: handle with care. If you have DSC cluster, run on the standby unit and sync. If you have a test environment, test it there. KRDaniel

First of all, this is all one command in one single line. Not two commands. No let's dissect this command into its parts. tmsh list ltm virtual one-line | grep "profiles.*\ http\ " The above will list ALL virtuals that have the default http profile called http, one line per VS. That's what grep does. tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' This will do the same, but it will print only the third ($3) field from output of the previous command - which is the VS name. That's what awk does. tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh mod ltm virtual vs_name profiles add { pr_http } profiles delete { http http } Now this will take the output from awk, the virtual server name, and use them as argument for the tmsh modify. That's what xargs -I vs_name does. It puts the virtual server name into the variable vs_name which I later use in tmsh modify.And with tmsh modify I add the new http profile and delete the old one.This last and very long command will not show any output at the end, it will run with no message like "Success" or "Completed".

Thank you for letting me know that enabling the X-Forwarded-For option in the Load Balancer via an http profile or an iRule won't cause an interruption as long as we don't make any mistakes in iRule.Could you share a Knowledge Based article for a step-by-step procedure on how to do it through a script to simultaneously configure multiple VS?Thanks a lot.

I don't believe such a knowledge article exists. Writing articles for scripts quickly becomes quite a tasks because so much is possible. Here is a suggestion I could find: https://community.f5.com/t5/technical-forum/modify-multiple-virtual-servers/td-p/46610 Are you familiar with specific scripting languages or tools like Ansible?

Deployment of X-forwarder on all VIP

11 Replies

boneyard
MVP
Jan 01, 2024
Enabling this via profile won't cause an interuption. Via iRule shouldn't if you don't make any mistakes.

Yes you can script this. But some experience with them is probably useful before just doing that in production.
- lttarvina
  Cirrus
  Jan 01, 2024
  Thank you for letting me know that enabling the X-Forwarded-For option in the Load Balancer via an http profile or an iRule won't cause an interruption as long as we don't make any mistakes in iRule.
  Could you share a Knowledge Based article for a step-by-step procedure on how to do it through a script to simultaneously configure multiple VS?
  Thanks a lot.
  - boneyard
    MVP
    Jan 01, 2024
    I don't believe such a knowledge article exists. Writing articles for scripts quickly becomes quite a tasks because so much is possible.
    
    Here is a suggestion I could find:
    
    https://community.f5.com/t5/technical-forum/modify-multiple-virtual-servers/td-p/46610
    
    Are you familiar with specific scripting languages or tools like Ansible?
Daniel_Wolf
MVP
Jan 01, 2024
Hi lttarvina,

first read this: K4816 - Enabling the Insert X-Forwarded-For option in the HTTP profile

lets say all your virtuals have the default http profile, named http. And, following the process described above, you create a new profile called pr_http_xff. This command should replace the profile called http with your new profile pr_http_xff on all virtuals.

tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh modify ltm virtual vs_name profiles add { pr_http_xff } profiles delete { http http }

This is the same what boneyard suggests, but not for one but for many virtuals.

I took this from my notes and didn't test it in my lab. Therefore: handle with care.
If you have DSC cluster, run on the standby unit and sync. If you have a test environment, test it there.

KR
Daniel
- isg-ss3
  Nimbostratus
  Jan 02, 2024
  Hi, and thank you for the given commands below:
  tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name
  tmsh modify ltm virtual vs_name profiles add { pr_http_xff } profiles delete { http http }
  I tried the first command in my lab, and no output has been shown. I replaced the vs_name with a specific name of a VS, and still no output has been shown. However, when I entered "tmsh list ltm virtual one-line," I got the following output:
  I just thought that maybe it's only happening in the lab and not on the actual appliance. My question is: will the first command output all VS, and can the script be edited using the second command, where all VS can be modified?
  Thanks.
  - Daniel_Wolf
    MVP
    Jan 02, 2024
    First of all, this is all one command in one single line. Not two commands. No let's dissect this command into its parts.
    
    tmsh list ltm virtual one-line | grep "profiles.*\ http\ "
    
    The above will list ALL virtuals that have the default http profile called http, one line per VS. That's what grep does.
    
    tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }'
    
    This will do the same, but it will print only the third ($3) field from output of the previous command - which is the VS name. That's what awk does.
    
    tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh mod ltm virtual vs_name profiles add { pr_http } profiles delete { http http }
    
    Now this will take the output from awk, the virtual server name, and use them as argument for the tmsh modify. That's what xargs -I vs_name does. It puts the virtual server name into the variable vs_name which I later use in tmsh modify.
    And with tmsh modify I add the new http profile and delete the old one.
    This last and very long command will not show any output at the end, it will run with no message like "Success" or "Completed".
lttarvina
Cirrus
Jan 08, 2024
Thank you boneyard and Daniel_Wolf for your answers to my queries. I have another question. I found this knowledge-based article for verifying the X-Forwarded-For Header Inserted by the BIG-IP.
Using an irule to verify the X-Forwarded-For Header Inserted by the BIG-IP (f5.com)
My questions are as follows:
1) Please explain the meaning of 10.10.10.10 in the script.
2) Is it possible to run the script written on the KB article and apply it to all 187 virtual servers at once without erasing the iRules that were previously configured on the above-mentioned virtual servers? The newly configured iRule overwrites the previously configured ones when I run the command below.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh modify ltm virtual vs_name rules { X-Forwarded-For-Verify }
Daniel_Wolf
MVP
Jan 08, 2024
Hi lttarvina,

first let us understand why you want to apply this iRule to all your virtuals? Do you understand what this iRule does?

Let me start by answering your first question. The 10.10.10.10 is the client IP address.

If I use tmsh to look at the connection table for my virtual server (vs_nginx_http) I will see this output:

root@(big-ip)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys connection virtual-server vs_nginx_http
Sys::Connections
192.168.57.1:39236 192.168.57.80:80 10.0.2.246:39236 10.0.2.80:80 tcp 6 (tmm: 1) none none
Total records returned: 1

So my client IP address is 192.168.57.1, [IP::client_addr].
My virtual server IP address is 192.168.57.80, [IP::local_addr] in a client-side iRule event.
My SNAT IP address is 10.0.2.246, also [IP::local_addr] but in a server-side iRule event.
And the IP of the node / pool member is 10.0.2.80 [IP::server_addr].

The iRule you are looking at will add a log entry every time someone with the IP 10.10.10.10 invokes a request on any virtual server that has this iRule attached.
If you have a busy system and you get a lot of requests from whatever IP you insert into this iRule, you will create A LOT of log entries.
What exactly are you trying to achieve? Maybe addint the iRule to only one virtual is enough, for troubleshooting something?

KR
Daniel

Forum Discussion

Deployment of X-forwarder on all VIP

11 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Where are F5's archived deployment guides?

F5 BIG-IP deployment with OpenShift - per-application 2-tier deployments

X-Forwarded-For on L4 VS

TCP Option 28 X-Forwarded-For Header

Extracting X-Forwarded-For in Node.js