Forum Discussion

mb_shankr's avatar
mb_shankr
Icon for Nimbostratus rankNimbostratus
Jan 29, 2024

How to rewrite the source IP address to an URL

Hi..

 

If I want to replace the source IP address in the HTTP header with an URL/FQDN, how can I achieve this?..

 

Below is the scenario:

Client Address ---> VIP ---> Pool member

 

Now, when the traffic reaches the pool member, it should see the source as an URL/FQDN instead of the actual Client Address. How can I do this on the F5?

 

Any inputs would be of great help.. Thanks..

security
  • mkyrc's avatar
    mkyrc
    Jan 29, 2024

    Your description of the scenario is not so clear. Client's IP address (source IP address) is located at Layer 3 (OSI model, IP address), but not in Layer 7 (HTTP header). Therefore you can't "Replace source IP address by URL/FQDN" (because first is located at Layer3 and second at Layer7=HTTP header)

    In general modifying HTTP header by iRule is described here: https://clouddocs.f5.com/api/irules/HTTP__header.html. You can use one of this:

    <SPAN class="token comment"># replace</SPAN>
HTTP::header replace <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN> <SPAN class="token punctuation">[</SPAN><SPAN class="token operator"><</SPAN>string<SPAN class="token operator">></SPAN><SPAN class="token punctuation">]</SPAN>
<SPAN class="token comment"># insert</SPAN>
HTTP::header <SPAN class="token punctuation">[</SPAN>value<SPAN class="token punctuation">]</SPAN> <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN>

    Read this and maybe it helps understand your request...

    "Normal" load-balancing TCP flow (in general HTTP) is "destination NAT":
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPclient -> IPserver 
    ^^ as you can see, destination IP address (VIP) is replaced to IPserver (it's destination NAT), but source IP address (client's IP) is the same. That's normal behaviour.

    When you need to "hide" client's IP address (or in some special network topology cases) you have to use "source NAT" on f5 device. In this case TCP flow seems like this:
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPf5 -> IPserver
    ^^ in this case, source address (client's IP) is "hidden"/replaced by to another IP address (when you are using "auto map" the IP address is self oror (when HA pair is configured) float IP address of the f5 device

    When you are using "source nat" and you need to know client's IP address on server side, you can add client's IP address (from Layer3 of the OSI model) to HTTP header (Layer7) as "XFF" (X-Forwarded-For) header value (https://en.wikipedia.org/wiki/X-Forwarded-For). For this case you can use HTTP profile or iRule as a code (https://my.f5.com/manage/s/article/K4816). XFF by iRule example:

    when HTTP_REQUEST <SPAN class="token punctuation">{</SPAN>
    HTTP::header insert X<SPAN class="token operator">-</SPAN>Forwarded<SPAN class="token operator">-</SPAN>For <SPAN class="token punctuation">[</SPAN>IP::remote_addr<SPAN class="token punctuation">]</SPAN>
<SPAN class="token punctuation">}</SPAN>

     

    And now back to your question: What is your request? What do you need replace? You need "hide" client's real IP address?

  • mb_shankr's avatar
    mb_shankr
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2024

    Will the below iRule do the job?

     

    when HTTP_REQUEST
    { HTTP::header replace client_addr "aws.ansible.com" }

    • Tofunmi's avatar
      Tofunmi
      Icon for MVP rankMVP
      Jan 29, 2024

      You're close, but use Host instead of client_addr and remove the quotes on the hostname.

      • mkyrc's avatar
        mkyrc
        Icon for Cirrus rankCirrus
        Jan 29, 2024

        The host header is based on "destination", not "source" as requested. I think the question is wrong (that I wrote on my another post here).

  • mkyrc's avatar
    mkyrc
    Icon for Cirrus rankCirrus
    Jan 29, 2024

    Your description of the scenario is not so clear. Client's IP address (source IP address) is located at Layer 3 (OSI model, IP address), but not in Layer 7 (HTTP header). Therefore you can't "Replace source IP address by URL/FQDN" (because first is located at Layer3 and second at Layer7=HTTP header)

    In general modifying HTTP header by iRule is described here: https://clouddocs.f5.com/api/irules/HTTP__header.html. You can use one of this:

    <SPAN class="token comment"># replace</SPAN>
HTTP::header replace <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN> <SPAN class="token punctuation">[</SPAN><SPAN class="token operator"><</SPAN>string<SPAN class="token operator">></SPAN><SPAN class="token punctuation">]</SPAN>
<SPAN class="token comment"># insert</SPAN>
HTTP::header <SPAN class="token punctuation">[</SPAN>value<SPAN class="token punctuation">]</SPAN> <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN>

    Read this and maybe it helps understand your request...

    "Normal" load-balancing TCP flow (in general HTTP) is "destination NAT":
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPclient -> IPserver 
    ^^ as you can see, destination IP address (VIP) is replaced to IPserver (it's destination NAT), but source IP address (client's IP) is the same. That's normal behaviour.

    When you need to "hide" client's IP address (or in some special network topology cases) you have to use "source NAT" on f5 device. In this case TCP flow seems like this:
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPf5 -> IPserver
    ^^ in this case, source address (client's IP) is "hidden"/replaced by to another IP address (when you are using "auto map" the IP address is self oror (when HA pair is configured) float IP address of the f5 device

    When you are using "source nat" and you need to know client's IP address on server side, you can add client's IP address (from Layer3 of the OSI model) to HTTP header (Layer7) as "XFF" (X-Forwarded-For) header value (https://en.wikipedia.org/wiki/X-Forwarded-For). For this case you can use HTTP profile or iRule as a code (https://my.f5.com/manage/s/article/K4816). XFF by iRule example:

    when HTTP_REQUEST <SPAN class="token punctuation">{</SPAN>
    HTTP::header insert X<SPAN class="token operator">-</SPAN>Forwarded<SPAN class="token operator">-</SPAN>For <SPAN class="token punctuation">[</SPAN>IP::remote_addr<SPAN class="token punctuation">]</SPAN>
<SPAN class="token punctuation">}</SPAN>

     

    And now back to your question: What is your request? What do you need replace? You need "hide" client's real IP address?

  • Tofunmi's avatar
    Tofunmi
    Icon for MVP rankMVP
    Jan 29, 2024

    Hi mb_shankr

    My answer will be based on the assumption that you intend to replace the HTTP Host Header to use a hostname say "xyx-api.example.com" instead. 

    The iRule below should help:

    when HTTP_REQUEST {
        HTTP::header replace Host xyz-api.example.com
    }

  • mb_shankr's avatar
    mb_shankr
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2024

    Thank you Tofunmi  and mkyrc  for your response...

    Yes, the host field in the HTTP header refers to the destination and not the source.. 

    But I wanted to know if it is possible at all to replace the source IP (client address) with an URL/FQDN.. and if yes, how?.. 

    I know I can replace/mask the client IP with another IP using SNAT.. but is it possible to replace the client IP with an URL/FQDN instead of SNAT IP.. 

    I want the destination server to see the request coming from an URL instead of the IP..

    As per mkyrc's explanation, I see it's not possible (and I thought so).. but is there anyway I can achieve this?...