Forum Discussion
NimbostratusHow to see the real IP in server- The traffic is from VIP:HTTPS and SNAT is enabled.
Hello,
Can anyone help me to get the real IP in server.The traffic passing is through VIP listening on https port and the SNAT is enabled to the HTTPS-VIP avoid the routing issue in my environment.
Regards Visvesh.
5 Replies
Hannes_RappIf NAT is applied, you are no longer able to see the IP of original source host in TCP-level information at the end-server.
However, Since it's a HTTP(s) service, you can achieve that with the use of HTTP headers. You can instruct F5 to insert the x-forwarded-for HTTP cookie which contains value of the real source IP. This setting can be enabled in Profiles > Services > HTTP_PROFILE_USED_BY_SERVICE
- Enable the "Insert X-Forwarded-For" setting
Visvesh_138292Thank you Hannes...Let me check and will update you the status...
Regards Visvesh.
- Hannes_Rapp
You're welcome
Detailed information about the solution is available here: http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
There are are some limitations to keep in mind, mainly that the SSL must be terminated in F5
- Visvesh_138292
Is there any other option to achieve with i-rule?
Because the SSL offloading is happening at server not in F5.
Regards Visvesh.
- Hannes_Rapp
I'm assuming most of the requests are coming from real end-users, and not client-servers. Possibly you applied SNAT configuration to make it possible for a few client-servers to access the content.
If that's the case, you can create an iRule to apply SNAT automap only when needed, and not in all use-cases. Typically you only need to apply SNAT when source and destination are in the same network.
Solution with iRule:
when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals "data_my_network"]} snat automap log local0. "Applied SNAT for IP: [IP::client_addr]" } else { do not apply SNAT return }"data_my_network" = address type LTM data-group which contains the network segment where end-servers are located (e.g 192.168.1.0/24). You then need to remove SNAT automap configuration from the virtual server (this has a possible impact and should be done during a scheduled maintenance window).
Other than that, I don't have any solutions for you. If the above is not applicable, you should either create a new network segment to solve the asymetric routing issue, or ask to migrate the SSL termination to F5.
