Forum Discussion
Kalpesh_48932
Nimbostratus
Nimbostratusx-forward-for irule
Hello Friends,
I have configured x-forward-for irule on my F5 and also it is enabled on HTTP profile. but it seems its not working cause on Apache server, we are getting only value of self IP, but not end client IP. I dont know why?
below is the script we have on Apache server
LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined_forwarded
SetEnvIfNoCase X-Forwarded-For "." from_proxy=1
CustomLog /appl/liferay/logs/http-access.log combined env=!from_proxy
CustomLog /appl/liferay/logs/http-access.log combined_forwarded env=from_proxy
this script works well, when we access application without F5, but do not work when, connects to application via F5
Irule configured on F5 is
when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] }
can someone suggest if any changes in Irule required to work with above apache sript?
Leonardo_39231I'm sure someone will correct me if I'm wrong but I don't believe you want the quotes(") around X-Forwarded-For.
Try this:
when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::client_addr] }https://devcentral.f5.com/wiki/iRules.XForwardedForSingleHeaderInsert.ashx
- Leonardo_39231If you want this turned on for all of your http traffic you can also turn on "x-forwarded for" in the http profile, there should be a drop-down box to enable it on the http profile.
Kalpesh_48932Hello Leonardo,
I tried this too, by removing "" from syntax. Also option is enabled in HTTP profile
still its not working- Leonardo_39231Kalpesh,
Are you familiar with logging in the irule? I would try logging in the irule to see what headers it's sending out to the pool member(s).
Something like this:
when HTTP_REQUEST {
HTTP::header insert X-Forwarded-For [IP::client_addr]
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
log local0. "============================================="
log local0. "$LogString (request)"
foreach aHeader [HTTP::header names] {
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
log local0. "============================================="
}
when HTTP_RESPONSE {
log local0. "============================================="
log local0. "$LogString (response) - status: [HTTP::status]"
foreach aHeader [HTTP::header names] {
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
log local0. "============================================="
}
https://devcentral.f5.com/wiki/irules.loghttpheaders.ashx - Kevin_Stewart
Employee
A few things to consider.
1. It doesn't matter if you encapsulate the header name in quotes or not in the [HTTP::header insert ] statement. It'll work the same either way.
2. If you enable "Insert X-Forwarded-For" in the HTTP profile, then you don't need to do it in the iRule, or vice versa.
3. I'd suggest looking at a capture of the data going to the server. It may be that your logging is misconfigured and the X-Forwarded-For header is actually being sent. - Kalpesh_48932Hello,
I tried keeping only one option to insert x-forward and in logs i found nothing :(
how to check logs for x-forward on F5? any command? tcpdump? or i wl find it in /log file? - Kevin_StewartAssuming traffic to the server is not encrypted, try a TCPDUMP. Something like this:
tcpdump -lnni 0.0 -Xs0 [filter of your choice to limit view]
The -Xs0 flags will show the payload data in the captures. You should see HTTP request messages coming from the BIG-IP, containing several headers.
