Forum Discussion
NimbostratusX-Forwarded-For and SNAT addresses
When debugging a minor issue for a client a couple of weeks ago, I wound up staring at a screenful of header dump that showed the X-Forwarded-For value which appears to be not the IP address of the requesting client, but the SNAT address assigned to the F5 (BIG-IP 11.4.1 Build 637.0 Hotfix HF3). This happens with both the HTTP profile and the iRule.
Is it actually possible to get the X-Forwarded-For header to show the original client IP address while SNAT is in use and/or am I missing something here?
3 Replies
- Kevin_Stewart
Employee
It's definitely safe to say that the XFF header should hold the client's true source. What happens if you log it?
when HTTP_REQUEST { log local0. "client IP is [IP::client_addr]" HTTP::header replace X-Forwarded-For [IP::client_addr] }Any chance that you're logging configuration is not correctly picking up the XFF header? Can you do a tcpdump server side capture to see exactly what is coming from the BIG-IP?
Paul_Roberts_16I say this because the user in question had one of those lovely debug scripts in place that just echoes back the full query along with each and every header passed, which is why I noticed it. However, something else just caught my eye... you posted IP::client_addr instead of IP::remote_addr (like the iRule has). Is perhaps IP::client_addr what we should be using instead of IP::remote_addr as shown at http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html ?
- Kevin_Stewart
IP::remote_addr is contextual, meaning it returns a different value depending on which side of the proxy it's called from. In this case it should indeed be the client's address, but I prefer to use IP::client_addr as a more definitive option. If you add the log statement, what value do you get?
