Forum Discussion
Nicholas_Irving
Nimbostratus
NimbostratusSSL Termination and Client IP Address
Hi I am working with some network engineers on trying to figure out how to get the following scenario working. Please bear in my mind that I am not educated in F5, but just want to find out if it is possible, so that I can get my network engineers working to resolvement.
We have a F5 Load Balancer that is doing SSL Termination for us and is passing the client request to a pair of Apache Web Servers. What I am finding is that the SNAT IP address is being presented as the Client IP Address, as opposed to the one coming into the SLL LB. This is causing us problems, as we have security enabled on some application servers that checks that the Client IP Address is the same as the one they registered with. Since the front end is not behind F5, it is gets the Client IP Address from the Internet, and the authentication servers uses that to secure the session. When another application behind the SSL Termination F5 compares what it thinks is the Client IP Address (in fact it is the SNAT IP Adress from the F5) against what is stored in the secure session, there is a mismatch.
Is there any way I can get the Client IP adress and not the SNAT presented to Apache, so that the 2 match? I really do not want every request to come from 1 SNAT IP address, instead from the many that could come from the Internet.
Thanks in advance.
3 Replies
Nicholas_IrvingThink I have found the answer.
http://devcentral.f5.com/weblogs/macvittie/archive/2008/06/02/3323.aspx
Will test it out and see if this works, but if there is a more elegant solution I would like to still know.- dennypayne
Employee
Check out the discussion in these two threads as well, depending on the network design you may not need SNAT:
Click here
Click here
Denny - Nicholas_IrvingThanks, I will have our engineers look into those suggestions. I thought it was possible to do.
