Web Accelerator and X-Forwarded-For

Question

I have a new WA deployment. I am using a redundant pair of 6400 with the WA feature. I am running 9.4.5 HF2. 
  
 This is my typical LTM configuration that I am using for a give site 
 monitor site.com_monitor { 
 defaults from http 
 send "GET /bigip/bigip.html HTTP/1.1
Host: site.com
Connection: Close

" 
 } 
  
 pool site.com_pool { 
 lb method predictive 
 action on svcdown reselect 
 monitor all site.com_monitor 
 members 
 10.1.1.1:http 
 10.1.1.2:http 
 } 
  
 profile httpclass site.com_httpclass { 
    defaults from httpclass 
    wa enable 
 }

virtual site.com { 
 pool site.com_pool 
 destination 10.2.1.1:http 
 ip protocol tcp 
 httpclass site.com_httpclass 
 profiles 
       oneconnect 
       tcp-lan-optimized 
          clientside 
       tcp-wan-optimized 
          serverside 
       http-acceleration 
 }

and I use a modified version of the Level 2 policy for the site. What I am wanting to be sure is that my web access logs on my web servers have the correct client IP address for request, so I would like to insert the X-Forwarded-For header using the HTTP profile. I would prefer not to modify the http-acceleration profile but to create a new one that inherits from it. When I tried that, I noticed that my hits for Hot Cache went to 0. What would be the recommended way to get X-Forwarded-For header sent to the origin servers - modify http-acceleration profile, iRule, or something else? 
  
 Thanks, 
  
 Mark

mark_curole · Answer

Well, I found my answer on the wiki - http://devcentral.f5.com/wiki/default.aspx/WebAccelerator/ISAPI_Filter.html. But there is one problem, the entry states that the ISAPI filter is attached in a zip, but there is no attachment - I am running IIS. Anyone know where the filter is?

don_macvittie_1 · Answer

That wiki entry was created two years ago by Colin, I'll ping him about it, but two years seems too long. I know another thread said that it is strongly recommended that you use the http-acceleration profile and not something that inherits from it.  
&nbsp; Have you seen this note on Ask F5 - https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html 
&nbsp;  
&nbsp; Regards, 
&nbsp; Don.

mark_curole · Answer

Thanks Don, 
&nbsp;  
&nbsp; I had read that article, but it was a while back. I already have the X-Forwarded-For ISAPI filter running on my servers. I guess, I can just use the iRule approach. Let me know if you find anything out about an ISAPI filter for X-Remote-Addr. 
&nbsp;  
&nbsp; Mark &nbsp;

dawn_parzych_20 · Answer

When using WebAccelerator there is no need to modify the http profile to add X-Forwarded-For WebAccelerator automatically inserts the origin client IP address in an X-Remote-Addr header.  I have a zip file of an ISAPI filter I will work with Don on getting it uploaded.

mark_curole · Answer

Thanks

Forum Discussion

Web Accelerator and X-Forwarded-For

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Extracting X-Forwarded-For in Node.js

TCP Option 28 X-Forwarded-For Header

X-Forwarded-For Log Filter for Windows Servers

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

X-Forwarded-For on L4 VS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS