Forum Discussion

Nimbostratus

Apr 09, 2017

SNAT/X-Forwarded

Hey guys, Bit of a weird one this. So I have 2 HA pairs both SNAT'ing but require the x forwarded to preserve the original source IP to due an access control for the client IP on the end server....

MVP

Apr 09, 2017

Hi ,

you could either insert the

X-Forwarded-For

header just on the first HA pair and disable the

X-Forwarded-For

insertation on the second HA pair (see HTTP Profile options).

Alternatively you can use the following iRule on the second unit to consolidate multiple

X-Forwarded-For

's into a single header.

when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:

Incomming HTTP request headers:

GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

Outgoing HTTP request headers

GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

Note: When using the iRule on your second HA pair, then make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile on those devices. The insert will be already handled by this iRule...

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)