Forum Discussion
NimbostratusHow to rewrite the source IP address to an URL
Your description of the scenario is not so clear. Client's IP address (source IP address) is located at Layer 3 (OSI model, IP address), but not in Layer 7 (HTTP header). Therefore you can't "Replace source IP address by URL/FQDN" (because first is located at Layer3 and second at Layer7=HTTP header)
In general modifying HTTP header by iRule is described here: https://clouddocs.f5.com/api/irules/HTTP__header.html. You can use one of this:
<SPAN class="token comment"># replace</SPAN> HTTP::header replace <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN> <SPAN class="token punctuation">[</SPAN><SPAN class="token operator"><</SPAN>string<SPAN class="token operator">></SPAN><SPAN class="token punctuation">]</SPAN> <SPAN class="token comment"># insert</SPAN> HTTP::header <SPAN class="token punctuation">[</SPAN>value<SPAN class="token punctuation">]</SPAN> <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN>Read this and maybe it helps understand your request...
"Normal" load-balancing TCP flow (in general HTTP) is "destination NAT":
- first TCP flow (client side): client -> VIP = IPclient -> VIP
- second TCP flow (server side): f5 -> pool member = IPclient -> IPserver
^^ as you can see, destination IP address (VIP) is replaced to IPserver (it's destination NAT), but source IP address (client's IP) is the same. That's normal behaviour.When you need to "hide" client's IP address (or in some special network topology cases) you have to use "source NAT" on f5 device. In this case TCP flow seems like this:
- first TCP flow (client side): client -> VIP = IPclient -> VIP
- second TCP flow (server side): f5 -> pool member = IPf5 -> IPserver
^^ in this case, source address (client's IP) is "hidden"/replaced by to another IP address (when you are using "auto map" the IP address is self oror (when HA pair is configured) float IP address of the f5 deviceWhen you are using "source nat" and you need to know client's IP address on server side, you can add client's IP address (from Layer3 of the OSI model) to HTTP header (Layer7) as "XFF" (X-Forwarded-For) header value (https://en.wikipedia.org/wiki/X-Forwarded-For). For this case you can use HTTP profile or iRule as a code (https://my.f5.com/manage/s/article/K4816). XFF by iRule example:
when HTTP_REQUEST <SPAN class="token punctuation">{</SPAN> HTTP::header insert X<SPAN class="token operator">-</SPAN>Forwarded<SPAN class="token operator">-</SPAN>For <SPAN class="token punctuation">[</SPAN>IP::remote_addr<SPAN class="token punctuation">]</SPAN> <SPAN class="token punctuation">}</SPAN>And now back to your question: What is your request? What do you need replace? You need "hide" client's real IP address?
NimbostratusThank you Tofunmi and mkyrc for your response...
Yes, the host field in the HTTP header refers to the destination and not the source..
But I wanted to know if it is possible at all to replace the source IP (client address) with an URL/FQDN.. and if yes, how?..
I know I can replace/mask the client IP with another IP using SNAT.. but is it possible to replace the client IP with an URL/FQDN instead of SNAT IP..
I want the destination server to see the request coming from an URL instead of the IP..
As per mkyrc's explanation, I see it's not possible (and I thought so).. but is there anyway I can achieve this?...
You are trying to replace a layer 3 header with a layer 7 header. This is not possible.
- Tofunmi
MVP
Exactly.
