For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ofilipe_109339's avatar
ofilipe_109339
Icon for Nimbostratus rankNimbostratus
Jul 09, 2014

X-FORWARDED-FOR AND ERASING SNAT IP FROM APACACHE LOGS

I am using x-forwarded-for and the web server admins would like to not see the snat ip in the logs. Currently I see both the client and snat ip. The client being 208.97.218.10 and snat 10.128.254.13. Can something be done within the x4 profile? - "Request Header Erase"? I

 

Apache logs 208.97.218.10, 10.128.254.13 - - [08/Jul/2014:10:06:42 -0500] "GET /XXXXXX/ HTTP/1.1" 200 2313 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11"

 

208.97.218.10, 10.128.254.13 - - [08/Jul/2014:10:06:42 -0500] "GET /XXXXXX HTTP/1.1" 304 - "XXXXXX" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11"

 

Apparently the below irule also did not work to clear the double entries:

 

when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-For]}{ HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::remote_addr]" } else { HTTP::header insert X-Forwarded-For [IP::remote_addr] } } }

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
http profile
iRules
LTM
security

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 09, 2014

    The XFF header is a layer 7 object, while the SNAT address is a layer 4 value. You cannot use an iRule to change the SNAT address without altering routing and potentially defeating the reason you're using SNAT in the first place.

     

    I would suggest tailoring the Apache log config to ignore the source address, the %h LogFormat value, and perhaps replacing it with the XFF header value \"%{X-Forwarded-For}i\"

     

  • ofilipe_68719's avatar
    ofilipe_68719
    Icon for Nimbostratus rankNimbostratus
    Jul 09, 2014

    The admin tried the %h and mentioned there was a comma seperated value issue. The strange thing is I do not see this on other device vips:

     

    146.180.106.231 - - [09/Jul/2014:14:04:45 -0500] "POST /XXXXXX HTTP/1.1" 200 1177 "XXXXXX" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

     

    66.150.110.71 - - [09/Jul/2014:14:04:55 -0500] "POST /XXXXXX HTTP/1.1" 200 25 "xxxxxxxxxxxxxxxxxx" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 09, 2014

    So what does it look like if you do something like this?

    LogFormat "\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat ""%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" common
  • Gabriel_Castro_'s avatar
    Gabriel_Castro_
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2014

    Hi folks,

     

    I am facing the same problem, where the XFF is working but I still receiving the selfip sometimes on the APACHE's log.

     

    Would you help me out with this?

     

    Thank you, Gabriel Castro

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 04, 2014

    You're basically getting two different IP addresses in different data streams. One is coming from an HTTP header (layer 7) and the other at TCP/IP layer 3. If you don't want the layer 3 address, then you need to configure your Apache logs to ignore this value.