Forum Discussion
CirrostratusHow to preserve existing X-Forward-For Header when using SNAT
First question is does SNAT alter an existing X-Forward-For header?
We have a web service that goes DMZ LTM -> XML Security Device -> PBN LTM /with SNAT. The application has IP based role restrictions and is failing. I believe this is happening because either the SNAT in the PBN is re-writing the X-Forward-For header or the application is not properly reading the X-Forward-For header. Many thanks in advance for your help in answering!
/Jeff
3 Replies
kunjanNimbostratus
Jeff, SNAT doesn't modify that. Unless you have HTTP profile with "Insert X-Forwarded-For" enabled or an iRule which does it.
You can log what is send out of the BigIP by attaching iRule to the virtual server
when HTTP_REQUEST_SEND { clientside { foreach x [HTTP::header names] { log local0. "Request header($x) = [HTTP::header $x]" } } }
M_2Altocumulus
First question is does SNAT alter an existing X-Forward-For header?
I have seen a setup like below where snat was altering client address.
Client > l4 ltm (snat2vip) > l7 ltm (xff cconfigured) > server
In the above case untill i remove snat in l4 my server was unable to see client address.
-sam
Antony2015Altostratus
Jeff,
Plz try to apply the below irule in PBN LTM /with SNAT and let me know the result.
rule X-Forwarded-For { when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" } else {
HTTP::header insert X-Forwarded-For [IP::client_addr] } }
