Forum Discussion

superd_88943's avatar
Icon for Nimbostratus rankNimbostratus
Oct 23, 2018

Insert X-Forwarded-For Not Working

Hi Guys,


Ive a created a VIP to LB to two web proxies. Iv also enabled a HTTP profile with the Insert X-Forwarded-For setting enabled, however on my proxy server i am always seeing the floating self IP of LTM.


Ive also tried disabling the setting Insert X-Forwarded-For on the HTTP profile and using an iRule, still the same issue.


Am i missing anything here? Any recommendations much appreciated.






7 Replies

  • Zuke's avatar
    Icon for Cirrostratus rankCirrostratus

    The source IP address will still be the Self-IP because of basic networking. Can you confirm the proxy is receiving the X-Forwarded-For header in the packet and it's not stripping that header out?


  • iRule:


    when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] }


  • Zuke's avatar
    Icon for Cirrostratus rankCirrostratus

    I suspect that if you've checked the Insert X-Forwarded-For box in the HTTP profile that your F5 configuration is correct. You probably don't need the iRule in addition to the HTTP profile, but it should work.


    Can you paste the virtual server config from /config/bigip.conf ?


  • Thanks.. yes Ive tried both with iRule and XForwardedFor enabled on profile, independently and together.


    ltm virtual Servers_browsing_8080_VIP { description "VIP for servers and non compliant PAC file systems." destination ip-protocol tcp mask persist { cookie { default yes } } pool Browsing_POOL profiles { http-proxy { } tcp { } } rules { websense_xforwarded_for } source source-address-translation { type automap } vs-index 95 }


  • As Zuke has implied, I think you're expecting the X-Forward-For option to pass the client IP to the server in the TCP packet. That's not what this option does. It and the iRule are intended to insert an HTTP header into the HTTP request flowing to the server. It does not change the source address of the packet.


    You're seeing the F5 (floating) source address because you have SNAT enabled.


  • Thanks all... ill investigate at the proxy side to see if it can pull the client IP from the HTTP packet.


  • DJTM1's avatar
    Icon for Nimbostratus rankNimbostratus

    On the VS configuration you have to add a HTTP profile with the Insert X-Forwarded-For setting enabled and also add an HTTP Proxy Connect profile.


    It should be working !