For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Comex_17260's avatar
Comex_17260
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

Preserve client ip (Stealth LB)

Hello Everybody,

I made a search through discussions to see if this subject is covered, and apparently it is not.

I have several applications running on my servers behind my Big-IP 10.2.x LB, and before they were behind LB, they were reading and using client's IP in several manners.

I know i can use x-forwarding-for or any other fields in http header to pass the client ip to the server, but I cannot change my software to adapt the new system.

What I have to do is, if it is possible, make the LB stealth and the server will see the real client's IP address rather than LB's IP address.

Is it possible to assign a new value to client_addr in any context?

P.S. how the client ip address is read in the application is as follows:

---------------------------------------------------------

Java
getRemoteAddr

Returns the Internet Protocol (IP) address of the client or last proxy that
sent the request. For HTTP servlets, same as the value of the CGI variable
REMOTE_ADDR. 

Returns: 
a String containing the IP address of the client that sent the request

---------------------------------------------------------

Thanks in advance,

-Comex

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2011
    Hi Comex,

     

     

    Is this for IIS only? If so, here's a possible solution:

     

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/31/afv/topic/aft/1178815/afc/1227279/Default.aspx

     

    Posted By rjordan on 05/06/2011 12:53 PM

     

    Regarding something simple to attempt, try installing ARR Helper for IIS (http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx). This will rewrite the REMOTE_ADDR value with the X-Forwarded-For value. We've used this when we have to deal with some closed source applications that can't be updated to look at X-Forwarded-For. I don't think it rewrites the source IP in the web logs, though.

     

     

     

    Another option would be to modify the servers to set the default gateway to an LTM self IP and then disable SNAT.

     

     

    Aaron

     

    Aaron
  • Comex_17260's avatar
    Comex_17260
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2011
    Hey Hoolio,

     

    Thanks for your response.

     

     

    although one of the server is IIS, my problem is about the source code as I cannot change it.

     

    I was trying to assign client ip to LB's local IP when the connection is made from the client to server through LB. I hope that when this is done, the server will see/think that the remote address in https request is client ip rather than LB's IP.

     

     

    The servers get IP from the LB, but SNAT is opened because the servers start request to outside (e.g. sending mail)

     

     

    If this can be done without changing any other part of my whole network, i am saved.

     

     

    -Comex
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 20, 2011
    if you cannot change code, i think server has to set f5 as default gateway. then you will be able to disable snat, so server will see real client ip address.