Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform
With day-to-day enhancements in security architecture, a request initiated at the source point traverses through multiple hops before it reaches the destination point. By design, if a request passes through any CDN/ Proxy that is present between the real client and the load balancer, we will no longer see the client’s IP address as the source address in the Load Balancer but the CDN/Proxy IP instead. Identification of real Client IP address is sometimes necessary for monitoring, logging, defining allow/deny policies and other purposes.
“Trusted Client IP Header” feature of F5 Distributed Cloud platform solves the above concern and provides the ability to identify the real client IP address that initiated the connection. Security events and request logs will show this real client IP address as the source IP, when this feature is enabled. Trusted Client IP Header feature in F5 Distributed Cloud platform allows the admin to configure Client IP Headers. The admin can define a list of one or more Client IP Headers as Trusted headers.
Below are some key points to be considered while configuring headers list:
- When multiple headers are configured, F5 Distributed Cloud platform follows top to bottom precedence, which means initially first header is considered and system checks for its availability in the request. If not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found.
- When none of the defined headers exists, or the value of the configured header is not an IP address, then the system will use the source IP of the packet.
- When multiple IP addresses are available in header value, the system will read the rightmost IP address and considers it as real Client IP address. But when using X-Forwarded-For Header and if multiple IPs are available in value, the system reads the rightmost-1 IP address and considers it as real client IP address.
Below video provies brief introduction to Trusted Client IP Headers feature:
In this demonstration, we will see how to identify the real client IP address using “Trusted Client IP headers” option in F5 Distributed Cloud platform.
We are using
- F5 Distributed Cloud Content Distribution Network (check references for more details)
- Load-balancer configured with “Trusted Client IP Header” option enabled
- Airlines test application as a backend origin server.
As shown in the below demo architecture, the request initiated at the client initially reaches to the available F5 CDN server and then the request from CDN hits the load balancer. Load balancer validates the request for configured headers availability, identifies the true client IP address and displays it rather than the CDN IP. The request from load balancer finally hits the backend application.
Step 1: Creation of Origin Pool
- From your desired namespace, navigate to Manage -> Load Balancers -> Origin pools
- Click on "Add Origin Pool"
- Provide a name for Origin pool
- Configure Origin server details with valid Port details.
- Proceed with “Save and Exit”
Step 2: Creation of Load Balancer with Trusted Client IP Header enabled
- From your desired namespace, Navigate to Manage -> Load Balancers -> HTTP Load Balancers
- Click on "Add HTTP load balancer"
- Provide a name for the Load Balancer
- Provide valid domain name and choose appropriate load balancer type under Basic Configuration
- Associate the above created Origin Pool in the load balancer
- In Other Settings, Enable Trusted Client IP Headers
- Provide a list of one or more Client Headers. Admin can configure any header which is used to find client IP address.
- Click on “Save and Exit” to save the Load Balancer configuration.
Step 3: Create any Content Delivery Network or Proxy
Here we are using F5 XC CDN between the client and the load balancer. CDN is a server that is used to serve web content quickly. CDN servers are distributed globally, and the main aim is to reduce latency and delay in end-to-end communication and thereby increases the efficiency. Check references for more exploration links.
- Navigate to Home -> Content Delivery Network -> Manage -> Distributions
- Click on “Add Distribution”
- Provide a name for the CDN
- Provide a valid domain name
- Choose appropriate CDN type
- Create a CDN Origin Pool by clicking on “Configure”
- Provide your HTTP Load Balancer domain name which is created above in the DNS name
- Add above created HTTP Load balancer domain name in the list of Origin Servers of CDN Origin pool
- Click on “Apply” twice
- CDN Origin pool gets created and associated with the CDN
- Click on “Save and Exit”
Note: F5 CDN has provided a dedicated header called “X-F5-True-Client-Ip” to extract the real client address. Customers who are using F5 CDN can use this header to identify the client IP address. Similarly, customer can configure any headers or custom headers to identify the client IP.
Step 4: Access the backend Origin Server
- Open a browser
- Access the backend server using the configured domain
- Observe that request hits the backend server and response page is visible
Step 5: Validate logs and source IP
- To check the source IP, in F5 Distributed Cloud Console, Navigate to Home -> Load Balancer -> Virtual Hosts -> HTTP Load Balancers
- Choose the appropriate load balancer and open Security Monitoring -> Requests
- Observe the Client IP and validate it with the client public IP address. Client IP address should be displayed in the logs rather than the CDN/Proxy IP as the feature is enabled.
- This source IP can further be used in WAF Exclusions rules, to block or allow clients.
As you can see from the above demonstration, with Trusted Client IP Headers option enabled in F5 Distributed Cloud platform, the request logs and security events are getting logged with the real client IP address as the source IP rather than the CDN IP.