inserting client ip address into header when using SNAT

This is actually something a lot of people do...

So here is an example that preserves the original client IP in a HTTP header called "ORIG_CLIENT_IP" (you could replace the name with any other name you want and/or also put it in a cookie to the server:

  
  rule preserve_client_ip {  
     when HTTP_REQUEST {  
        HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr]  
     }  
  }  
  

And there you have it. If you wanted to add it as a cookie then use the instead:

HTTP::cookie insert ORIG_CLIENT_IP [IP::remote_addr]

And if you want a standards-based X-Forwarded-For trace header, you can do this without an iRule:

b profile http http insert xforwarded for enable

Netscaler provides an ISAPI filter on the server side which allows the IIS logs to recognize the true customer's ip address rather than the load balanced one. Is there anything similar that F5 offers? Can one do this with irules?

Hi-

 

I read your post on adding Original Client IP to the HTTP Request, I tried your rule verbatim in our BigIP 9.0.3 and received the foillwing error:

 

 

 

01070151:3: Rule [preserve_client_ip] error:

 

line 1: [undefined procedure: rule] [rule preserve_client_ip {

 

when HTTP_REQUEST {

 

HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr]

 

}

 

}]

 

 

Any ideas on what I can do to correct this?

 

 

I also included a screenshot attached

I'm not sure why you think you need FastHTTP. Generally, FastHTTP is a less complex, lightweight HTTP processing engine that runs a lot faster, but without the flexibility afforded by using the full HTTP proxy.

 

 

I don't know of any requirement that would force you to use the FastHTTP profile unless it's for your own performance requirements.

Jan 19 11:41:13 deathstar mcpd[714]: 01070394:3: HTTP::header in rule (myIrule) requires an associated FASTHTTP profile on the virtual server (FCECO).

 

 

This entry is directly from my \var\log\tmm\ltm file

 

 

I would prefer to keep my Virtual Server the way it is setup now (only a Client SSL profile enabled) and just apply an iRule,

 

Ok, this error is very misleading and I have created a bug entry for us

 

to clarify the error message.

 

 

What is going on is that you have used the HTTP::header command in a

 

rule event where it's not normally allowed (unless you are using the

 

FastHTTP profile).

 

 

I'm not sure what you have done as my original example had it in the HTTP_REQUEST event, perhaps you inadvertantly put it in a CLIENT_ACCEPTED event?

 

 

You do need to have an http profile on the virtual for the HTTP_REQUEST event to work, but you do not need a FastHTTP profile.

 

 

If you were using the HTTP_REQUEST event but did not configure the http profile on the virtual, then the error would look like this:

 

 

01070394:3: HTTP_REQUEST event in rule (preserve_client_ip) requires an associated HTTP or FASTHTTP profile on the virtual server (myvirt).

 

 

 

Also, note that FastHTTP will not work with SSL termination.

 

Brian,

 

I have checked into the ISAPI plugin and no we don't currently have one that does what you are requesting. Here are my thoughts on it:

 

 

A) It is pretty much industry standard to use the header "X-Forwarded-For" to indicate the original client IP address. We have an attribute in the http profile that allows you to turn on automatic insertion of this header:

 

profile http myhttp insert xforwarded for enable

 

Most servers should have the ability to identify and log this header.

 

 

B) I'm quite sure NetScaler preserves the client IP address using the same mechanism (possibly even the X-Forwarded-For header). If you know the header that they use, then you could always configure the BigIP to use the same header and then simply (continue?) using the NetScaler plugin.

 

 

C) You could contact our professional services organization and they would be happy to work with you to develop such a plugin, it's quite easy for us to do.

 

 

Hope this helps.

Thank you for your reply. I had thought of talking to Netscaler about finding out what they use in the header, but there are issues with trying to do that.

 

 

I was told that if I disable snat, and start using the F5 as a default gateway for our load balanced servers, the IPs would be logged properly(since snat is not altering the packet). Is that true?

 

 

 

Yes, that would be true. Without SNAT the original client IP is preserved as the source of the packet.