Forum Discussion
henry_kay_36032
Nimbostratus
NimbostratusSNAT based on XFF to internet
Hi All,
my company is trying to get LTM to work with ironport proxy. The proxy gateway is pointed to F5 and we have configured a performance L4 virtual server to allow the traffic to passthrough. so far what we observed from our irules, the XFF header is not match properly and it is intermittently having issue.
when HTTP_REQUEST {
set XFF [HTTP::header X-Forwarded-For]
log local0. $XFF
if { [catch {class match [HTTP::header "X-Forwarded-For"] equals abc-address}] } {
log local0. "$XFF hit ABC"
snatpool SNAT_POOL_1.1.1.1
} elseif { [catch {class match [HTTP::header "X-Forwarded-For"] equals def-address}] } {
log local0. "$XFF hit DEF"
snatpool SNAT_POOL_2.2.2.2
} elseif {[class match [IP::client_addr] equals proxy-address]} {
log local0. "not nat. proxy going to internet"
} else
{
log local0. "Not matching any ip. traffic dropped"
drop
}
}
would anyone be able to help advise if it is the rule having issue?
Try something like this:
when HTTP_REQUEST { if {[HTTP::header values "X-Forwarded-For"] ne ""}{ foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] { log local0. "Current XFF element: $xff" if { [class match $xff eq abc-address2] } { log local0. "$xff hit ABC" snatpool SNAT_POOL_1.1.1.1 return } if { [class match $xff eq def-address] } { log local0. "$xff hit DEF" snatpool SNAT_POOL_2.2.2.2 return } } } else { log local0. "No X-Forwarded-For header found." } if {!([class match [IP::client_addr] equals proxy-address])} { log local0. "Not matching any ip. traffic dropped" drop } }
Sergio000_19532Try setting the virtual server in standard mode and not in performace layer 4.
henry_kay_36032when i set it to standard mode, the pool member i set it as the next hope device. however it does not know how to get to the destination (public website)
in tcpdump, the http url destination is removed and the next hop device simply reset the connection.
