Forum Discussion

Eric_Oakeson_68's avatar
Eric_Oakeson_68
Icon for Nimbostratus rankNimbostratus
Nov 03, 2008

Source IP in HTTP header when doing SNAT

I have kind of a strange request here, but the customer wants the original IP to be in the HTTP header for the application to read. However, we are doing SNAT on the LTMs, so we're not sure if this is even possible. We're doing global load balancing with LTMs in POPs around the world. So the GTM gets them to the closest LTM, then the "remote" LTM (in the POP) sends the traffic to the main datacenter in the US. We use SNAT between the POP LTM and Data center LTMs. The users' traffic is natted at the POP in order for the network to route it back properly to the appropriate POP they came from. The application sees the source as the POP LTM, but now they also want to see the original source IP as well. Is there an iRule that could accomplish this? Keep the original IP in the HTTP header even though the source IP is being natted?

 

 

Here's how the flow works:

 

 

User -> POP LTM -> Data center LTM -> server
application delivery
dev
devops
iRules
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Nov 03, 2008
    You don't even need an iRule for this; there's a setting in the HTTP profile called "insert xforwarded for" that will insert a header named X-Forwarded-For with the original client's IP address.
  • Eric_Oakeson_68's avatar
    Eric_Oakeson_68
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2008
    Ok, follow up question... Since the user passes through 2 sets of LTMs, will the 2nd set maintain the original client IP or, since the client is SNAT-ed behind the 1st set of LTMs, will the servers see the 1st set of LTMs as the source? Basically will that X-Forwarded-For header be maintained all the way to the server?
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Nov 03, 2008
    If you have it configured on both sets of LTMs then (assuming that no other device in the middle changes it) there will be two X-Forwarded-For headers and the first one will have the client's IP. The second LTM shouldn't change the header unless you configure it to. It sounds like you only should configure that header to be inserted on the set of LTMs that can see the client IP.
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Nov 03, 2008
    Note that most servers are not configured to log XFF by default; there is an ISAPI plugin for IIS here in DevCentral that will modify it to do so. I believe Apache is not difficult to configure to do this either, but just keep in mind that you will have to modify the server's logging behavior to capture XFF.

     

     

    Denny
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 04, 2008
    SOL4816 describes how to insert/parse the XFF header:

     

     

    SOL4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic being translated by a SNAT (Click here)

     

     

    Aaron