Forum Discussion
Geoff_Littlewoo
Nimbostratus
NimbostratusUse iRulke to extract X-Forwarded out of HTTP packet
I have a polling HTTP pakcet that the LTM does not see as a proper compliant HTTP packet.
Due to this the device sends a single packet in and the F5 closes the connection. This connection needs to remain open. To fix this, the HTTP profile is removed from the Virtual Server. The X-Forwarded header is needed fromn the packets that then flow through the LTM. The X-Forwarded header becomes the IP address of the LTM and not the source device.
I am looking for an iRule that will look at this packet and extract the X-Forwarded contents and send it through, as the souce address sent becomes the interface of the LTM.
14 Replies
Geoff_LittlewooI amunable to write an iRule pickign out the following because I cannot use a HTTP profile.
when HTTP_REQUEST {
HTTP::header insert X-Forwarded-For [IP::client_addr] }
SO I need to write an iRuke to look at the packet and take out X-Forwarded-For
hoolioCirrostratus
Can you clarify this? Do you want LTM to spoof the value of the XFF header that a prior device in the chain inserted? Or do you want LTM to insert the IP address it received as the client into an XFF header?
Aaron- Geoff_LittlewooAaron
Yes I need the iRule to put "X-Forwarded-for" of the original IP address otherwise, it puts the IP address of the LTM interface in the HTTP header.
If I used a HTTP profile it inserted this inthe packet. I configured the profile to insert the X-Forwarded-For but due to the nature of the sending device the F5 does not then see this as a complaint HTTP packet. SO I am unable to apply a HTTP profile of any sort. Unable to write a simple iRule as it then requires an HTTP profile.
SO if possible the packet that the back end server gets has the originator's IP and NOT the LTM interface.
Thanks. - Geoff_LittlewooAaron,
I have been reading some other threads and wondered, if I make the IIS server (back end server) Def Gateway to be the LTM interface and turn off SNAT on thr VS will this resolve my issue?
Will I be able to apply a HTTP profile and preserve the originating clients IP address ?Just a thought .... - hoolioIf you need to see the original client IP address in logs and cannot add an HTTP profile, it would be a lot more efficient in terms of LTM processing to change the default gateway to the LTM and turn off SNAT on the VIP. You wouldn't need to insert the XFF header then or add an HTTP profile.
Aaron - Geoff_LittlewooAaron,
Thanks I will try that. BUt if this does not work, do you know of an iRule or could help me if needed to write one as its the packets being passed by the LTM that my back end client uses.
I will go try and see what the outcome is ..
Thanks. - hoolioIt would be more efficient to use an HTTP profile if you can. The alternative is to collect every TCP payload and insert the HTTP header in the TCP payload.
One option that could possibly work is to disable the HTTP profile after the HTTP headers of the first request have been parsed.when HTTP_REQUEST { Insert XFF header HTTP::header insert X-Forwarded-For [IP::client_addr] Disable the HTTP profile for the rest of this TCP connection HTTP::disable }
If that works, you should consider that the client may try to send multiple HTTP requests over the same TCP connection. Is this a possibility?
Aaron - Geoff_LittlewooAaron,
Used wireshark after applying the iRule and the first packet we saw in has the souce IP address as required but then all subsequent HTTP packets come though the IP of the LTM . - Geoff_LittlewooIs there any way of stopping this, as need to consistantly have the source IP and no the LTM and the device will be heartbeating frequently.
- hoolioWhat VIP configuration are you using? Is SNAT enabled or disabled? Are you using an iRule?
Are you seeing the monitor traffic in your trace? If you have a redundant pair with SNAT enabled, the load balanced traffic would be sourced from LTM's floating self IP address to the server IP's. With/without SNAT, LTM's monitor traffic will be sent from the non-floating self IP address(es).
Aaron
