Forum Discussion
Deployment of X-forwarder on all VIP
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
To enable the X-Forwarded-For option in the Load Balancer, you can use a http profile or an iRule based on this article: https://my.f5.com/manage/s/article/K4816
Will the deployment cause a glitch? Is this possible through script to simultaneously configure multiple VS?
Enabling this via profile won't cause an interuption. Via iRule shouldn't if you don't make any mistakes.
Yes you can script this. But some experience with them is probably useful before just doing that in production.
- lttarvinaCirrus
Thank you for letting me know that enabling the X-Forwarded-For option in the Load Balancer via an http profile or an iRule won't cause an interruption as long as we don't make any mistakes in iRule.
Could you share a Knowledge Based article for a step-by-step procedure on how to do it through a script to simultaneously configure multiple VS?
Thanks a lot.
I don't believe such a knowledge article exists. Writing articles for scripts quickly becomes quite a tasks because so much is possible.
Here is a suggestion I could find:
https://community.f5.com/t5/technical-forum/modify-multiple-virtual-servers/td-p/46610
Are you familiar with specific scripting languages or tools like Ansible?
Hi lttarvina,
first read this: K4816 - Enabling the Insert X-Forwarded-For option in the HTTP profile
lets say all your virtuals have the default http profile, named http. And, following the process described above, you create a new profile called pr_http_xff. This command should replace the profile called http with your new profile pr_http_xff on all virtuals.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh modify ltm virtual vs_name profiles add { pr_http_xff } profiles delete { http http }
This is the same what boneyard suggests, but not for one but for many virtuals.
I took this from my notes and didn't test it in my lab. Therefore: handle with care.
If you have DSC cluster, run on the standby unit and sync. If you have a test environment, test it there.KR
Daniel- isg-ss3Nimbostratus
Hi, and thank you for the given commands below:
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name
tmsh modify ltm virtual vs_name profiles add { pr_http_xff } profiles delete { http http }I tried the first command in my lab, and no output has been shown. I replaced the vs_name with a specific name of a VS, and still no output has been shown. However, when I entered "tmsh list ltm virtual one-line," I got the following output:
I just thought that maybe it's only happening in the lab and not on the actual appliance. My question is: will the first command output all VS, and can the script be edited using the second command, where all VS can be modified?
Thanks.
First of all, this is all one command in one single line. Not two commands. No let's dissect this command into its parts.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ "
The above will list ALL virtuals that have the default http profile called http, one line per VS. That's what grep does.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }'
This will do the same, but it will print only the third ($3) field from output of the previous command - which is the VS name. That's what awk does.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh mod ltm virtual vs_name profiles add { pr_http } profiles delete { http http }
Now this will take the output from awk, the virtual server name, and use them as argument for the tmsh modify. That's what xargs -I vs_name does. It puts the virtual server name into the variable vs_name which I later use in tmsh modify.
And with tmsh modify I add the new http profile and delete the old one.
This last and very long command will not show any output at the end, it will run with no message like "Success" or "Completed".
- lttarvinaCirrus
Thank you boneyard and Daniel_Wolf for your answers to my queries. I have another question. I found this knowledge-based article for verifying the X-Forwarded-For Header Inserted by the BIG-IP.
Using an irule to verify the X-Forwarded-For Header Inserted by the BIG-IP (f5.com)
My questions are as follows:
1) Please explain the meaning of 10.10.10.10 in the script.
2) Is it possible to run the script written on the KB article and apply it to all 187 virtual servers at once without erasing the iRules that were previously configured on the above-mentioned virtual servers? The newly configured iRule overwrites the previously configured ones when I run the command below.
tmsh list ltm virtual one-line | grep "profiles.*\ http\ " | awk '{ print $3 }' | xargs -I vs_name tmsh modify ltm virtual vs_name rules { X-Forwarded-For-Verify }
Hi lttarvina,
first let us understand why you want to apply this iRule to all your virtuals? Do you understand what this iRule does?
Let me start by answering your first question. The 10.10.10.10 is the client IP address.
If I use tmsh to look at the connection table for my virtual server (vs_nginx_http) I will see this output:
root@(big-ip)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys connection virtual-server vs_nginx_http
Sys::Connections
192.168.57.1:39236 192.168.57.80:80 10.0.2.246:39236 10.0.2.80:80 tcp 6 (tmm: 1) none none
Total records returned: 1So my client IP address is 192.168.57.1, [IP::client_addr].
My virtual server IP address is 192.168.57.80, [IP::local_addr] in a client-side iRule event.
My SNAT IP address is 10.0.2.246, also [IP::local_addr] but in a server-side iRule event.
And the IP of the node / pool member is 10.0.2.80 [IP::server_addr].The iRule you are looking at will add a log entry every time someone with the IP 10.10.10.10 invokes a request on any virtual server that has this iRule attached.
If you have a busy system and you get a lot of requests from whatever IP you insert into this iRule, you will create A LOT of log entries.
What exactly are you trying to achieve? Maybe addint the iRule to only one virtual is enough, for troubleshooting something?KR
Daniel
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com