Forum Discussion
KOR_124005
Nimbostratus
NimbostratusHow to setup X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT ?
Hi All, Hope you are fine.
please need you Help,
i have problem,
when i activate the google proxy is the IP of the proxy that replaces the customer address
i tested the proxy with external sites and client source IP is correctly entered in the XFF field.
i setup this configuration but i dont have standards value
http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
how i can configure the VS to have the standards values ? • X-BIG-IP-IP-CALLING: xxxxxxxxx • X-FORWARD-FOR: xxxxxxxxx(IP Client), xx.xxx.xx.xxx (Proxy 1) xxx.xxx.xxx.xx (Proxy 2)
thank u in advance
BR
22 Replies
- JRahm
Admin
just to clarify, you want to rewrite the list of IPs from the XFF header to be only the first IP in the list? If so, this should work for you.
when HTTP_REQUEST { HTTP::header replace X-Forwarded-For [getfield [HTTP::header X-Forwarded-For] "," 1] } - Kevin_Stewart
Employee
KOR, the HTTP profile's Request Header insert field will not accomplish what you're looking for. It will not expand an iRule value like [IP::client_addr], but rather takes a static value (ex. TEST=Foo). Further, the Insert X-Forwarded-For option will explicitly insert an "X-Forwarded-For" header into the request. If you want a specific header name other that X-Forwarded-For, you would want to use an iRule:
when HTTP_REQUEST { HTTP::header insert X-BIGIP-CALLING-IP [IP::client_addr] } - nitass
It looks like Google adds a new header to pass the original IP address from the client:
Forwarded: for=105.235.130.92
You may use an iRule to extract the IP address from that header and add it to the X-forwarded-for header.
is it something like this?
- nitass
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 2 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } } } trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.24.1(60325) <-> 172.28.24.10(80) 1397563493.0008 (0.0022) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(60325) <-> 200.200.200.101(80) 1397563493.0028 (0.0018) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 X-forwarded-for: 1.2.3.4 ---------------------------------------------------------------
KOR_124005Hi nitass, many thnaks for your replay after having applied the irule as you can see the field is replace by @ IP Proxy googel. Forwarded: for=105.235.128.137 >>>> 3G Costumer Scheme: http Via: 1.1 Chrome Compression Proxy X-Psa-Client-Features: bypass,safebrowsing X-Psa-Client-Options: webp-enable User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/11D169 Safari/9537.53 X-BIGIP-CALLING-IP: 66.249.93.10 >>>> Proxy Google X-Forwarded-For: 66.249.93.10, 192.168.101.54 X-Varnish: 851995049 Many thanks for your help Br,
nitass_89166Noctilucent
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 2 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } } } trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.24.1(60325) <-> 172.28.24.10(80) 1397563493.0008 (0.0022) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(60325) <-> 200.200.200.101(80) 1397563493.0028 (0.0018) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 X-forwarded-for: 1.2.3.4 ---------------------------------------------------------------- KOR_124005Hi nitass, many thnaks for your replay after having applied the irule as you can see the field is replace by @ IP Proxy googel. Forwarded: for=105.235.128.137 >>>> 3G Costumer Scheme: http Via: 1.1 Chrome Compression Proxy X-Psa-Client-Features: bypass,safebrowsing X-Psa-Client-Options: webp-enable User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/11D169 Safari/9537.53 X-BIGIP-CALLING-IP: 66.249.93.10 >>>> Proxy Google X-Forwarded-For: 66.249.93.10, 192.168.101.54 X-Varnish: 851995049 Many thanks for your help Br,
- nitass_89166
after having applied the irule
as you can see the field is replace by @ IP Proxy googel.so, does it work or not work?
- KOR_124005not work :( I had made no changes iRules, are what I must change at irule (ip, value ..)? iRule When HTTP_Request { if {[scan [HTTP :: header Forwarded] {for =% s} ip] == 1} { HTTP :: header remove X-forwarded-for HTTP :: header insert X-forwarded-for $ ip } } } ip our 3G customer >> (105 235 128 137) we want this an address be displayed on the following two fields, but for now it is replaced by proxy google. X-BIGIP-CALLING-IP: 66.249.93.10 Proxy >>>> Google X-Forwarded-For: 66.249.93.10
- nitass
after having applied the irule
as you can see the field is replace by @ IP Proxy googel.so, does it work or not work?
- KOR_124005not work :( I had made no changes iRules, are what I must change at irule (ip, value ..)? iRule When HTTP_Request { if {[scan [HTTP :: header Forwarded] {for =% s} ip] == 1} { HTTP :: header remove X-forwarded-for HTTP :: header insert X-forwarded-for $ ip } } } ip our 3G customer >> (105 235 128 137) we want this an address be displayed on the following two fields, but for now it is replaced by proxy google. X-BIGIP-CALLING-IP: 66.249.93.10 Proxy >>>> Google X-Forwarded-For: 66.249.93.10
- nitass_89166
not work 😞
can you add some logging in the irule?
e.g.
when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }- KOR_124005Hi ntass, VS is configured as follows: a profile Http applied and iRule that you sent me. a profile \ service \ http \ Insert Header request (enabled) X-BIGIP-CALLING-IP: [IP :: client_addr] Still the output is the same ip ip proxy google replaces the client. Thank you very much for your support and help I really appreciate. Br,
- nitass
not work 😞
can you add some logging in the irule?
e.g.
when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }- KOR_124005Hi ntass, VS is configured as follows: a profile Http applied and iRule that you sent me. a profile \ service \ http \ Insert Header request (enabled) X-BIGIP-CALLING-IP: [IP :: client_addr] Still the output is the same ip ip proxy google replaces the client. Thank you very much for your support and help I really appreciate. Br,
- nitass
have you added the logging to the irule? what did you get from the log?
- KOR_124005How i can find on /var/log/ltm Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local : [HTTP::header Forwarded] Br,
- KOR_124005and that the iRule applied when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }
