For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Johan_Van_Geste's avatar
Johan_Van_Geste
Icon for Nimbostratus rankNimbostratus
Oct 04, 2005

HTTP-header to real-server

Hi all,

 

 

we have a BIG-IP 1500 deployed in a 'flat network' (one VLAN to cover everything, VS-address and Node-addresses all in the same range, serving HTTP on port 80). Downside: this way the Real-Servers get to see only incoming requests from the BIG-IP's address and for administrative reasons we should find a way to see the real ip addresses of the incoming clients. So basically my question would be, is there an iRule or something to that extent that could be created to forward (in HTTP header or so) the real-client ip to the real-server ip instead of seeing the BIG-IP's IP? Please bare in mind that we had to put some SNATs for the 'flat network' config to work.

 

 

Hoping someone has already done this or can show us the way on how to accomplish this,

 

 

Thanks,

 

 

Johan.
dev
devops
iControl

1 Reply

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Oct 04, 2005
    Johan,

    First, let me say that this is an iRules question, so next time if you could post it to the iRules forum that would be best...

    With that being said, this is a very common question and there are many ways to can have BIG-IP insert that true client address.

    BIG-IP's http profile:

    in BIG-IP v9.0, the http profile has the following option: "Insert XForwarded For". If you enable this, a "X-Forwarded-For" HTTP header containing the true client address will be inserted into each HTTP Request.

    iRules:

    If for some reason you don't want to enable this in your profile, you can issue a HTTP::header command to insert the X-Forwarded-For header (or any other header you wish) in an iRule.

    when HTTP_REQUEST {
 Replace X-Forwarded-For if you wish a different header name
HTTP::header insert X-Forwarded-For [IP::remote_addr]
}

    You might also want to take a look at this thread:

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=1461

    Click here

    Once you have picked one of these methods, you'll need to be able to extract that value in your logs. I've created a ISAPI Filter (if you are running IIS) that will substitute the c-ip value in the IIS logs with the value of the X-Forwarded-For header (if it exists). The source and binaries can be downloaded in CodeShare (Click here). I'm sure if you are using Apache on the backend there are Apache modules out there to do this as well.

    Good luck and let us know how it goes!

    -Joe