Forum Discussion
NimbostratusPass Source IP to server?
Hello,
We have a server call it 172.1.1.1 in our DMZ. We NAT it to 10.1.1.1. When I visit https://10.1.1.1 our dev team has a script that runs that displays "Your IP is: 10.23.3.x"
I then go through load balancer, create a pool with this single server, port 443 and create a VIP 172.1.1.2 NAT it to 10.1.1.2
When I visit https://10.1.1.2 it says "Your IP is: 172.1.1.x"
Can anyone point me in the right direction how I can get the same result direct to the server and behind the VIP? I'm new to F5, and stumbling which direction to go.
4 Replies
Samir_Jha_52506Noctilucent
Yeah.. you can get it through custom http profile with enable x-forward options.
Michael_OzorowsThank you Jhaas this worked!!! :) Only thing I had to do was do port 80 or 8080 with x-forward; its not working with HTTPS
I think for HTTPS I just need an SSL Cert for SSL Offload on the F5 is that correct?
Stephane_Viau_1Michael, your have 3 options :
First option is you do not enable a HTTP profile on your Virtual Server. In this case the TLS handshake will have to be done by your application server. There is 0 offloading done in this case and your SSL certificate needs to be on your app server :
Client --> Passthrough Port 443 --> Big-IP --> Passthrough Port 443 or 8443 --> App Server
Second option is you enable a HTTP profile and also a SSL certificate (through a client-ssl profile), but pass on the requests to the app server unencrypted. This is probably the scenario that you are looking for because it provides offloading for your server :
Client --> HTTPS Port 443 --> F5 Big-IP --> HTTP Port 8080 --> App Server
This option offloads the server as the encryption terminates at the Big-IP. One important thing to know is that this might cause your app to misbehave because your app might want users to come in via HTTPS but it will see unencrypted connections. And then it will redirect users to . And this is going to create an infinite loop. In this case you might need to pass on not only X-Forwarded-For, but also X-Forwarded-Proto to tell your application that the users has connected via https and not http.
Third option is you use encryption all the way, in which case you need a HTTP, client-ssl profile and server-ssl profile. You will need a SSL cert on both Big-IP and app server :
Client --> HTTPS port 443 --> Big-IP --> HTTPS Port 443 or 8443 --> App Server
This scenario does not provide offloading for your server but provide an additional level of security.
- Samir_Jha_52506
@Michael, you will have to attach valid SSL cert for https vip to get client ip. Rest configuration is same like http vip(http profile with x-forward enable).
