For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Glenn_32974's avatar
Glenn_32974
Icon for Nimbostratus rankNimbostratus
Jan 27, 2015

X-Forwarded-For extraction in Apache RHEL 6.5 HOW-TO

Hello Guys

 

This should be a fairly easy question for the Gurus here

 

Im using SNAT on my Vip and I need to log the real IP address of clients for auditing reasons

 

Since I have always implemented BIG-IP in routed mode I usually don't have to care about this, but this time I had to use SNAT mode instead so this procedure of extracting the X-Forwarded-For header is fairly new to me

 

I have follow instructions outline here ( listed below): http://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html

 

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^......." forwarded CustomLog "logs/access_log" combined env=!forwarded CustomLog "logs/access_log" proxy env=forwarded

 

and also in the F5 article: https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

 

but none of them seem to work...

 

Im a bit confused on where do I actually have to made config changes... whether the httpd.conf file or the ssl.conf file ( since all my traffic is actually SSL traffic) I did it on my http.conf file with no positive results

 

Im on Apache RHEL 6.5

 

Has anyone succeeded on extracting the real IP address from the X-Forwarded-For header

 

many thanks in advanced

 

2 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 27, 2015

    You've not mentioned what you've done on the F5 itself? Have you tested/checked on the server that the header is actually being inserted, using tcpdump or something similar?

     

    I can't imagine you'd need to do anything in the ssl.conf file.

     

  • Glenn_32974's avatar
    Glenn_32974
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2015

    Hello My friend What Lies Beneath

     

    Sorry , you are right.. The way in inserting the X-F-F header is through the HTTP profile ( not using an irule this time)

     

    In my captures I see that the header is being inserted so the F5 is doing what its supposed to be doing... The only thing is I have not been able to extract the header in the apache server

     

    thanks for your quick reply!