Forum Discussion
KOR_124005
Nimbostratus
NimbostratusHow to setup X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT ?
Hi All, Hope you are fine.
please need you Help,
i have problem,
when i activate the google proxy is the IP of the proxy that replaces the customer address
i tested the proxy with external sites and client source IP is correctly entered in the XFF field.
i setup this configuration but i dont have standards value
http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
how i can configure the VS to have the standards values ? • X-BIG-IP-IP-CALLING: xxxxxxxxx • X-FORWARD-FOR: xxxxxxxxx(IP Client), xx.xxx.xx.xxx (Proxy 1) xxx.xxx.xxx.xx (Proxy 2)
thank u in advance
BR
22 Replies
nitass_89166Noctilucent
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 2 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } } } trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.24.1(60325) <-> 172.28.24.10(80) 1397563493.0008 (0.0022) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(60325) <-> 200.200.200.101(80) 1397563493.0028 (0.0018) C>S --------------------------------------------------------------- GET / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Forwarded: for=1.2.3.4 X-forwarded-for: 1.2.3.4 ---------------------------------------------------------------
KOR_124005Hi nitass, many thnaks for your replay after having applied the irule as you can see the field is replace by @ IP Proxy googel. Forwarded: for=105.235.128.137 >>>> 3G Costumer Scheme: http Via: 1.1 Chrome Compression Proxy X-Psa-Client-Features: bypass,safebrowsing X-Psa-Client-Options: webp-enable User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/11D169 Safari/9537.53 X-BIGIP-CALLING-IP: 66.249.93.10 >>>> Proxy Google X-Forwarded-For: 66.249.93.10, 192.168.101.54 X-Varnish: 851995049 Many thanks for your help Br,
- nitass_89166
after having applied the irule
as you can see the field is replace by @ IP Proxy googel.so, does it work or not work?
- KOR_124005not work :( I had made no changes iRules, are what I must change at irule (ip, value ..)? iRule When HTTP_Request { if {[scan [HTTP :: header Forwarded] {for =% s} ip] == 1} { HTTP :: header remove X-forwarded-for HTTP :: header insert X-forwarded-for $ ip } } } ip our 3G customer >> (105 235 128 137) we want this an address be displayed on the following two fields, but for now it is replaced by proxy google. X-BIGIP-CALLING-IP: 66.249.93.10 Proxy >>>> Google X-Forwarded-For: 66.249.93.10
- nitass
Employee
after having applied the irule
as you can see the field is replace by @ IP Proxy googel.so, does it work or not work?
- KOR_124005not work :( I had made no changes iRules, are what I must change at irule (ip, value ..)? iRule When HTTP_Request { if {[scan [HTTP :: header Forwarded] {for =% s} ip] == 1} { HTTP :: header remove X-forwarded-for HTTP :: header insert X-forwarded-for $ ip } } } ip our 3G customer >> (105 235 128 137) we want this an address be displayed on the following two fields, but for now it is replaced by proxy google. X-BIGIP-CALLING-IP: 66.249.93.10 Proxy >>>> Google X-Forwarded-For: 66.249.93.10
- nitass_89166
not work 😞
can you add some logging in the irule?
e.g.
when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }- KOR_124005Hi ntass, VS is configured as follows: a profile Http applied and iRule that you sent me. a profile \ service \ http \ Insert Header request (enabled) X-BIGIP-CALLING-IP: [IP :: client_addr] Still the output is the same ip ip proxy google replaces the client. Thank you very much for your support and help I really appreciate. Br,
- nitass
not work 😞
can you add some logging in the irule?
e.g.
when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }- KOR_124005Hi ntass, VS is configured as follows: a profile Http applied and iRule that you sent me. a profile \ service \ http \ Insert Header request (enabled) X-BIGIP-CALLING-IP: [IP :: client_addr] Still the output is the same ip ip proxy google replaces the client. Thank you very much for your support and help I really appreciate. Br,
- nitass
have you added the logging to the irule? what did you get from the log?
- KOR_124005How i can find on /var/log/ltm Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local : [HTTP::header Forwarded] Br,
- KOR_124005and that the iRule applied when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }
- nitass_89166
have you added the logging to the irule? what did you get from the log?
- KOR_124005How i can find on /var/log/ltm Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local : [HTTP::header Forwarded] Br,
- KOR_124005and that the iRule applied when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }
- nitass
Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local : [HTTP::header Forwarded]
it seems no Forwarded header. is header name correct indeed?
