For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Johan_Van_Geste's avatar
Johan_Van_Geste
Icon for Nimbostratus rankNimbostratus
Oct 04, 2005

HTTP-header to real-server

Hi all,     we have a BIG-IP 1500 deployed in a 'flat network' (one VLAN to cover everything, VS-address and Node-addresses all in the same range, serving HTTP on port 80). Downside: this way th...
dev
devops
iControl
Joe_Pruitt's avatar
Joe_Pruitt
Oct 04, 2005
Johan,

First, let me say that this is an iRules question, so next time if you could post it to the iRules forum that would be best...

With that being said, this is a very common question and there are many ways to can have BIG-IP insert that true client address.

BIG-IP's http profile:

in BIG-IP v9.0, the http profile has the following option: "Insert XForwarded For". If you enable this, a "X-Forwarded-For" HTTP header containing the true client address will be inserted into each HTTP Request.

iRules:

If for some reason you don't want to enable this in your profile, you can issue a HTTP::header command to insert the X-Forwarded-For header (or any other header you wish) in an iRule.

when HTTP_REQUEST {
 Replace X-Forwarded-For if you wish a different header name
HTTP::header insert X-Forwarded-For [IP::remote_addr]
}

You might also want to take a look at this thread:

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=1461

Click here

Once you have picked one of these methods, you'll need to be able to extract that value in your logs. I've created a ISAPI Filter (if you are running IIS) that will substitute the c-ip value in the IIS logs with the value of the X-Forwarded-For header (if it exists). The source and binaries can be downloaded in CodeShare (Click here). I'm sure if you are using Apache on the backend there are Apache modules out there to do this as well.

Good luck and let us know how it goes!

-Joe