Forum Discussion

mb_shankr's avatar
mb_shankr
Icon for Nimbostratus rankNimbostratus
Jan 29, 2024
Solved

How to rewrite the source IP address to an URL

Hi..   If I want to replace the source IP address in the HTTP header with an URL/FQDN, how can I achieve this?..   Below is the scenario: Client Address ---> VIP ---> Pool member   Now, when t...
security
  • mkyrc's avatar
    mkyrc
    Jan 29, 2024

    Your description of the scenario is not so clear. Client's IP address (source IP address) is located at Layer 3 (OSI model, IP address), but not in Layer 7 (HTTP header). Therefore you can't "Replace source IP address by URL/FQDN" (because first is located at Layer3 and second at Layer7=HTTP header)

    In general modifying HTTP header by iRule is described here: https://clouddocs.f5.com/api/irules/HTTP__header.html. You can use one of this:

    <SPAN class="token comment"># replace</SPAN>
HTTP::header replace <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN> <SPAN class="token punctuation">[</SPAN><SPAN class="token operator"><</SPAN>string<SPAN class="token operator">></SPAN><SPAN class="token punctuation">]</SPAN>
<SPAN class="token comment"># insert</SPAN>
HTTP::header <SPAN class="token punctuation">[</SPAN>value<SPAN class="token punctuation">]</SPAN> <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN>

    Read this and maybe it helps understand your request...

    "Normal" load-balancing TCP flow (in general HTTP) is "destination NAT":
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPclient -> IPserver 
    ^^ as you can see, destination IP address (VIP) is replaced to IPserver (it's destination NAT), but source IP address (client's IP) is the same. That's normal behaviour.

    When you need to "hide" client's IP address (or in some special network topology cases) you have to use "source NAT" on f5 device. In this case TCP flow seems like this:
    - first TCP flow (client side): client -> VIP = IPclient -> VIP
    - second TCP flow (server side): f5 -> pool member = IPf5 -> IPserver
    ^^ in this case, source address (client's IP) is "hidden"/replaced by to another IP address (when you are using "auto map" the IP address is self oror (when HA pair is configured) float IP address of the f5 device

    When you are using "source nat" and you need to know client's IP address on server side, you can add client's IP address (from Layer3 of the OSI model) to HTTP header (Layer7) as "XFF" (X-Forwarded-For) header value (https://en.wikipedia.org/wiki/X-Forwarded-For). For this case you can use HTTP profile or iRule as a code (https://my.f5.com/manage/s/article/K4816). XFF by iRule example:

    when HTTP_REQUEST <SPAN class="token punctuation">{</SPAN>
    HTTP::header insert X<SPAN class="token operator">-</SPAN>Forwarded<SPAN class="token operator">-</SPAN>For <SPAN class="token punctuation">[</SPAN>IP::remote_addr<SPAN class="token punctuation">]</SPAN>
<SPAN class="token punctuation">}</SPAN>

     

    And now back to your question: What is your request? What do you need replace? You need "hide" client's real IP address?

mkyrc's avatar
mkyrc
Icon for Cirrus rankCirrus
Jan 29, 2024

Your description of the scenario is not so clear. Client's IP address (source IP address) is located at Layer 3 (OSI model, IP address), but not in Layer 7 (HTTP header). Therefore you can't "Replace source IP address by URL/FQDN" (because first is located at Layer3 and second at Layer7=HTTP header)

In general modifying HTTP header by iRule is described here: https://clouddocs.f5.com/api/irules/HTTP__header.html. You can use one of this:

<SPAN class="token comment"># replace</SPAN>
HTTP::header replace <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN> <SPAN class="token punctuation">[</SPAN><SPAN class="token operator"><</SPAN>string<SPAN class="token operator">></SPAN><SPAN class="token punctuation">]</SPAN>
<SPAN class="token comment"># insert</SPAN>
HTTP::header <SPAN class="token punctuation">[</SPAN>value<SPAN class="token punctuation">]</SPAN> <SPAN class="token operator"><</SPAN>name<SPAN class="token operator">></SPAN>

Read this and maybe it helps understand your request...

"Normal" load-balancing TCP flow (in general HTTP) is "destination NAT":
- first TCP flow (client side): client -> VIP = IPclient -> VIP
- second TCP flow (server side): f5 -> pool member = IPclient -> IPserver 
^^ as you can see, destination IP address (VIP) is replaced to IPserver (it's destination NAT), but source IP address (client's IP) is the same. That's normal behaviour.

When you need to "hide" client's IP address (or in some special network topology cases) you have to use "source NAT" on f5 device. In this case TCP flow seems like this:
- first TCP flow (client side): client -> VIP = IPclient -> VIP
- second TCP flow (server side): f5 -> pool member = IPf5 -> IPserver
^^ in this case, source address (client's IP) is "hidden"/replaced by to another IP address (when you are using "auto map" the IP address is self oror (when HA pair is configured) float IP address of the f5 device

When you are using "source nat" and you need to know client's IP address on server side, you can add client's IP address (from Layer3 of the OSI model) to HTTP header (Layer7) as "XFF" (X-Forwarded-For) header value (https://en.wikipedia.org/wiki/X-Forwarded-For). For this case you can use HTTP profile or iRule as a code (https://my.f5.com/manage/s/article/K4816). XFF by iRule example:

when HTTP_REQUEST <SPAN class="token punctuation">{</SPAN>
    HTTP::header insert X<SPAN class="token operator">-</SPAN>Forwarded<SPAN class="token operator">-</SPAN>For <SPAN class="token punctuation">[</SPAN>IP::remote_addr<SPAN class="token punctuation">]</SPAN>
<SPAN class="token punctuation">}</SPAN>

 

And now back to your question: What is your request? What do you need replace? You need "hide" client's real IP address?