Forum Discussion
Atif_Malik_1133
Nimbostratus
Nimbostratus(re)Setting remote_addr
I saw several posts on how to get the real client ip to be forwarded as a variable. My problem is slightly different I want to reset the variable REMOTE_ADDR to be the real client address. All the irules I see are for setting a new variable to be the client address or using X_FORWARDED_FOR for the client address.
The irule i came up with is
when HTTP_REQUEST {
HTTP::header replace "REMOTE_ADDR" [IP::remote_addr]
}
but this gives the server the variable HTTP_REMOTE_ADDR as opposed to simply REMOTE_ADDR.
On the backend we are running apache with php, if that make a difference.
- REMOTE_ADDR is actually part of the CGI specification (Click here).
So, when BIG-IP inserts the REMOTE_ADDR header with your value, it gets to apache and apache says, hummm, I need to supply the value for the client side address in the REMOTE_ADDR environment variable but I see a client suppled HTTP header with that same name. I guess I'll prefix their header with "HTTP_" so that both are maintained.
So, basically, you cannot override standard CGI varables. You'll either need to come up with another name, or live with the auto-renaming that apache is doing.
With that said, Apache is very configurable. I'd be surprised if you couldn't hack the configuration on your webservers to replace the REMOTE_ADDR with another header value. I'm just not very well versed in apache config so I don't know for sure.
-Joe - Joe is absolutely correct. However, I would expect REMOTE_ADDR in the CGI to be the same as [IP::remote_addr] unless you have configured a SNAT or have OneConnect enabled. So, if you really want REMOTE_ADDR to be the client's address, then disable the SNAT and set the OneConnect source mask to 255.255.255.255. Good luck!
Atif_Malik_1133We don't have SNAT, and OneConnect is enabled. I am not sure how I would set th OneConnect source mask to 255.255.255.255 ?
Either way I think this might have a better solution on the apache level (as mentioned by Joe), with the little apache SetEnv I tried it didn't work. I will try some more things to see what works.
Alex_MoundalexiPosted By Joe on 11/10/2005 9:20 AM
So, basically, you cannot override standard CGI varables. You'll either need to come up with another name, or live with the auto-renaming that apache is doing.
So LTM doesn't offer any mechanism to write/overwrite standard CGI variables? Is that the case? To maintain legacy apps that use REMOTE_USER, I'd like to parse a username from the subject DN of a client certificate and insert it into the REMOTE_USER variable.
hoolioCirrostratus
If you're wanting to modify how Apache logs HTTP headers, I think you can use the LogFormat directive in your httpd.conf. SOL4816 (Click here) has an example:
Apache web server
You can configure an Apache web server to extract the IP address from the X-Forwarded-For HTTP header and log the IP address to the web server log file by adding the appropriate logging directives to the Apache httpd.conf file. For example:
LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" X-Forwarded-For
CustomLog /var/log/apache/www.example.com-xforwarded.log X-Forwarded-For
Refer to the Apache logging documentation for more details.
You can probably find more examples by googling 'Apache LogFormat Directive'.
http://httpd.apache.org/docs/1.3/mod/mod_log_config.htmllogformat
Aaron- Alex_Moundalexi
Posted By hoolio on 05/23/2007 7:54 AM
If you're wanting to modify how Apache logs HTTP headers, I think you can use the LogFormat directive in your httpd.conf. SOL4816 (Click here) has an example:
How Apache logs HTTP headers has nothing to do with it. The goal is to enable legacy applications to exist in an environment where the only authentication supported is client certificates.
