For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dsnaithd_104244's avatar
dsnaithd_104244
Icon for Nimbostratus rankNimbostratus
Jan 25, 2010

newbie Q regarding V10, custom log headers and SSL

Hi all,

 

 

I apologise in advance for a newbie question as I have little experience in this area, however I can't find the answer I'm looking for. I think what I need to do is pretty straightforward.

 

 

I have an ssl virtual server set to terminate and forward to a pool of weblogic instances ( just tcp port 8001 on a 2 server pool ). This part works without issue.

 

 

What I want to do is preserve the client ip using the custom weblogic header - WL-Proxy-Client-IP.

 

 

So I add an irule ( shamelessly copied from a post on here - thanks ! )

 

 

when HTTP_REQUEST {

 

HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]

 

}

 

 

The question is - where do I apply the rule ? Is it correct to add an http profile to the ssl virtual server and apply the irule there ?

 

 

TIA,

 

Dave
application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2010
    Hi Dave,

     

     

    Welcome to the forums. Glad you were able to find an example that worked for you.

     

     

    You can configure this on a custom HTTP profile. Set the 'header to insert' to WL-Proxy-Client-IP: [IP::client_addr] and the header to erase as WL-Proxy-Client-IP. This ensures any existing WL-Proxy-Client-IP header will be removed before a new one is inserted.

     

     

    You could also do this with an iRule, but the HTTP profile option is a bit simpler to configure.

     

     

    Aaron
  • dsnaithd_104244's avatar
    dsnaithd_104244
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2010
    Aaron,

     

     

    thanks for the quick response - have implemented your idea with not a great deal of success unfortunately.

     

     

    What I didn't mention is that we have a SNAT applied ( hence the need for the header ) - are you aware of any config required when using SNAT and custom headers ?

     

     

    Its entirely possible however, and quite likely, that the header is indeed being set and ignored at the weblogic end, thats something I have yet to verify.

     

     

    cheers,

     

    Dave
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2010
    Hi Dave,

    The header insert option will work with/without SNAT. You can check that the header is being inserted by adding a logging iRule or using tcpdump: 

     
 when HTTP_REQUEST { 
  
     Log the WL-Proxy-Client-IP header value 
    log local0. "WL-Proxy-Client-IP value: [HTTP::header value WL-Proxy-Client-IP]" 
  
 }

    tcpdump -ni 0.0 -Xs0 host NODE_IP and port NODE_PORT

    Aaron
  • dsnaithd_104244's avatar
    dsnaithd_104244
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2010
    Thanks Aaron - fyi I can verify the header is being written, so off to the weblogic config we go.

     

     

    Thanks for your time and help.