Forum Discussion
Lou_125071
Nimbostratus
NimbostratusLoad balance to specific pool by reading the X-Forwarded-For IP address
I've been asked if we can send specific client to a different pool based on the X-Forwarded-For IP address. I suspect this must be done via an IRule. Any help would be appreciated.
Thanks
nitass
Employee
Employeeyou can retrieve x-forwarded-for header value by using HTTP::header command and then you can do whatever you want e.g. send to specific node (node command) or pool (pool command), etc.
HTTP::header
">https://devcentral.f5.com/wiki/iRules.HTTP__header.ashx" target="_blank">">https://devcentral.f5.com/wiki/iRules.HTTP__header.ashx
Lou_125071Thanks this worked by just ORing the other IP addresses. I was going to try and do it with a data group list which was why I was having trouble getting it to work. I'll probably also add the real client IP in case the IP comes in not in the X-Forwarded-For. Thanks again for the help
shaggythis should be doable as a data-group - do you foresee the list of IP addresses changing often over time?- Lou_125071Shaggy, This is what we have so far and all works except if you do not have an X-Forwarded-For address and you are not in the Data group list you do not fall into the default pool. If you are in the list it works for both real client and X-Forwarded-For. Can you see anything here that would make it react this way? when HTTP_REQUEST { if {( [ class match [IP::client_addr] equals MY-List] )} { pool MY-pool } elseif {( [class match [_HTTP::header "X-Forwarded-For"] equals MY-List] )}{ pool TEST-pool } }
- shaggywhat happens to a user who is not in either data-group? is her/his request dropped, or does it go to an incorrect pool? also, is oneconnect configured for the virtual server?
- Lou_125071We only have one data-group. If the IP is not in the data group and he hits the VS with his IP in the X-Forwarded-For his connection goes to the default VS configured pool. So it works only for the X-Forwared-For. If he comes in without the X-Forwarded-For and not in the list his connection is just dropped and he does not go to the default VS configured pool. Oneconnect is not configured. We get the same results if we do not use a list and just enter IP addresess and stipulate contains. Example contains "X.X.X.X"
- Lou_125071We figured it out. We had set up a PRE- VS to put the X-Forwarded-For on before it hit our destination VS that had the Irule. We did this because we didn't know if the specific clients in question would hit our site directly or through Akimia CDN. This way if they hit the destination VS and didn't have an X-Forwarded-For tag they could still work. Running this way we could not get the IP that was not in the list to work correct. So just for the heck of it we put X-Forward-For on the destination VS and this worked. So here was the working IRule which I believe was the original post. I was under the impression that the Irule would take affect before an X-Forwarded-For IP stuffing. This is not the case and it was much easier then we were making it. when HTTP_REQUEST { if {( [class match [HTTP::header "X-Forwarded-For"] equals My-List] )} then { pool My-pool } }
