Forum Discussion
NimbostratusOneConnect And RealClientIP
Hi, we started to deploy the Oneconnect mode on one of our Vservers. it works fine but the issue is that it is a BO system and i need to see the RealClientIP of each http request for reports etc.. since we started to use Oneconnect, the IP addresses is not match to the real login agent. for example if i am making login i see that my source address coming from a different agent that was making login a min ago and not my IP. i enabled on the http profile the option for Insert X-Forwarded-For and also created the following irule :
when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] }
but still i see that the realclient ip of the agent is not belong to him.
9 Replies
YossiVi was thing of using this Irule
when HTTP_REQUEST { if {[HTTP::header exists "X-Real-IP"]}{ snat [HTTP::header "X-Real-IP"] } elseif {[HTTP::header exists "X-Forwarded-For"]}{ snat [HTTP::header "X-Forwarded-For"] } else { return } }
- YossiV
ok issue was solved after enabling the XFF on the http profile and using the above irule, the issue solved
Vijay_ECirrus
You can also use the netmask of 255.255.255.255 within the OneConnect profile in order to retain the real client IP at the server level.
- YossiV
Well so i though i solved the issue but it seems like i didn't. Using /32 solved the issue but the server side connection started to jump, since its a service that open to the whole world it will keep each session open. So i used the default oneconnect profile and used the irule I wrote above but it didn't work it. Any idea how can i use the one connect and not loosing the real client ip..
- Vijay_E
Did you solve the problem or still need assistance ?
Have you tried using XFF header within the HTTP profile and used the XFF header to obtain the original client IP @ the server level ?
- YossiV
Hi Odaah no i still didn't find a solution. i tried using the Http profile with "Insert X-Forwarded-For" and than assign the irule:
when HTTP_REQUEST { if {[HTTP::header exists "X-Real-IP"]}{ snat [HTTP::header "X-Real-IP"] } elseif {[HTTP::header exists "X-Forwarded-For"]}{ snat [HTTP::header "X-Forwarded-For"] } else { return }but it didn't work, i still see clients reaching to my Bo site with addresses that belongs to other client. (example client from China got an address that belong to Client from US) when client generated a report he saw that someone logged in from US and made a deposit. i was needed to Calm him down and explain him that its not a fraud 🙂
maybe the irule is not correct.
- YossiV
Ok so i think i know what is my issue: https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9816.html?sr=21470362 i am also using ASM module. so that might be the issue :\
- YossiV
Hi Boneyard. Yes i did it, but when i changed the connection to /32 prefix the connections started to jump from 300 to 1200, so it wasn't a good idea. Enabling Auto Map gave me the F5 local IP.
