SNAT/X-Forwarded

Question

Hey guys,&nbsp;
Bit of a weird one this. So I have 2 HA pairs both SNAT'ing but require the x forwarded to preserve the original source IP to due an access control for the client IP on the end server.&nbsp;
The traffic comes in on the first pair, I SSL offload, I then use server-side incompatible to pass it on the next pair. It then hits the next pair so would it be best just to make this pass through and then hit the SNAT again to reach the end server? I have in my head this would work but I may be missing something.&nbsp;
The key to it is basically having the original client IP available when it reaches the end server.&nbsp;
Thanks for the input!&nbsp;

kai_wilke · Answer

Hi ,
you could either insert the X-Forwarded-For header just on the first HA pair and disable the X-Forwarded-For insertation on the second HA pair (see HTTP Profile options). 
Alternatively you can use the following iRule on the second unit to consolidate multiple X-Forwarded-For's into a single header.
when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:
Incomming HTTP request headers:
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

Outgoing HTTP request headers
GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

Note: When using the iRule on your second HA pair, then make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile on those devices. The insert will be already handled by this iRule...
Cheers, Kai

kai_wilke · Answer

Hi Donster,
just the 1st pair has to insert the X-Forwarded-For header. This can be done by using a Standard VS with HTTP Profile attached and either X-Forwarded-For HTTP Profile settings enabled or by disabling the X-Forwarded-For HTTP Profile settings and deploying an iRule like this...
when HTTP_REQUEST {
    HTTP::header remove "X-Forwarded-For" 
    HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] "%" 1]
}

Note: You could also use the iRule of my previous post, if you need to consolidate existing X-Forwarded-For headers into a unified header. 
On the second unit you may also use a Standard VS with HTTP Profile attached - but you don't have to. If a HTTP Profile is getting attached, then you have to make sure that the X-Forwarded-For HTTP Profile settings are disabled.
Cheers, Kai

Forum Discussion

SNAT/X-Forwarded

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

SNAT / X-FORWARD-FOR breaks HTTPS connection

Values in X-Forwarded-For when SNAT is enable

X-Forwarded-For and SNAT addresses

X-FORWARDED-FOR AND ERASING SNAT IP FROM APACACHE LOGS

X-Forwarded-For and SNAT-clientside/serverside ssl profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS