Forum Discussion

viziony's avatar
Icon for Cirrus rankCirrus
Jan 19, 2024

https-X-Forwarder for MYSQL VIPs - revealing source ips

Is there a way we can use https-X-Forwarder for MYSQL port 3306 VIPs? Or https-X-Forwarder only work for HTTPS VIPs? 

If the latter answer, is there a script or irule that we can run to have the mysql servers get the client ip rather than the self ip of the F5 within their logs? 

1 Reply

  • You could try to insert the client IP into TCP option 28.  This is pretty standard practice for getting original client IP address to a server over non-HTTP protocols.  Some CDN vendors even have a checkbox to enable this for TCP LBs.
    You can review this DevCentral article explaining this functionality.  Although, that article is the reverse of your situation; i.e. it is the BIGIP extracting the client IP from TCP option 28, rather than injecting client IP into it.

    However, if you do this, then the server will have to have some way of extracting the client IP out of the TCP header.  If that sounds like an option, I can throw together a quick iRule to show you how it would be done.

    Another alternative that may or maynot be viable for you, is to move the SQL server "inline" behind the BIGIP.  Meaning the BIGIP ip the default gateway for the SQL server.  This would remove the need for NATing the traffic and the server would just see the original client IP in the IP header.

    Hope one of those works for you.

    Joe M