For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lance_53368's avatar
Lance_53368
Icon for Nimbostratus rankNimbostratus
May 04, 2009

Preserve Client IP address through HTTPS Virtua Server

Hello,

 

 

I have a pair of Microsoft web servers that were being load balanced with Microsoft NLB. Since I have moved them over to BigIP (LTM 3600 v.9.4.6), I have not been able to view client IP addresses in the web logs.

 

 

I have been able to get source IP addresses on http servers with using the X_Forwarded_For option in the http profile, but I have not been able to find any documentation on performing a simiilar funciton with ssl.

 

 

Has anyone done this?

 

 

Thanks,

 

 

Lance
application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 05, 2009
    Hi Lance,

     

     

    If you are decrypting the SSL on LTM you can still insert the XFF header for HTTPS. If you're not decrypting the SSL, you won't be able to inspect or modify the HTTP headers or data. You could either decrypt the client SSL and re-encrypt it (if the LTM to application connection requires SSL), change the default gateway on the servers to the LTM self IP address and remove the SNAT configuration, or not get the original client IP address for HTTPS VIPs.

     

     

    Aaron
  • Lance_53368's avatar
    Lance_53368
    Icon for Nimbostratus rankNimbostratus
    May 05, 2009
    Thanks Aaron,

     

     

    We opted to use the LTM floating IP as the default gateway for the web servers. That pretty much killed our ability to access the website from inside the firewalls, but we are able to access it from public addresses. We probably just need to configure a NAT or route on the firewall to take care of it.

     

     

    Thanks again for the quick response.

     

     

    Lance