Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How to setup X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT ?

Hi All, Hope you are fine.

please need you Help,

i have problem,

when i activate the google proxy is the IP of the proxy that replaces the customer address

i tested the proxy with external sites and client source IP is correctly entered in the XFF field.

i setup this configuration but i dont have standards value

http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

how i can configure the VS to have the standards values ​​?   • X-BIG-IP-IP-CALLING: xxxxxxxxx • X-FORWARD-FOR: xxxxxxxxx(IP Client), xx.xxx.xx.xxx (Proxy 1) ​​xxx.xxx.xxx.xx (Proxy 2)

thank u in advance

BR

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

just to clarify, you want to rewrite the list of IPs from the XFF header to be only the first IP in the list? If so, this should work for you.

when HTTP_REQUEST {
  HTTP::header replace X-Forwarded-For [getfield [HTTP::header X-Forwarded-For] "," 1]
}
1
Comments on this Answer
Comment made 05-Mar-2014 by KOR 90
Hi Jason, thank u for you response, i need to display source IP for the client, now in my config i activate the XFF in service http and put this command X-BIGIP-CALLING-IP:[IP::client_addr] in field Request Header Insert, but i don't have result. i will test this iRule. BR
0
Comment made 23-Mar-2014 by KOR 90
Hi All, i want to preserve source IP of the client and display it. actually the configuration set on the VS is >> Profiles : Service : HTTP request Header Insert: X-BIGIP-CALLING-IP:[IP::client_addr] Insert X-Forwarder-For : Disabled. please any suggestion ?
0
Comment made 23-Mar-2014 by KOR 90
Hi Jason, if i apply this iRule, when HTTP_REQUEST { HTTP::header replace X-Forwarded-For [getfield [HTTP::header X-Forwarded-For] "," 1] is what I am active only insert X-Forwarded-For: in service: HTTP without the request Header Insert: X-BIGIP-CALLING-IP: [IP :: client_addr] or juste apply iRule without Profiles : services : HTTP ? thank you so much for your help
0
Comment made 24-Mar-2014 by Jason Rahm
you need an http profile to use these commands. if there is an x-bigip-calling-ip header in there, it would be passed in addition to a rewrite of x-forwarded-for (if I understand your question properly)
0
Comment made 24-Mar-2014 by Jason Rahm
if you enable the x-forwarded-for in the http profile, it will pass the header as-is, it will not rewrite a potential list to the first IP in the list in the header (if there is one)
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

KOR, the HTTP profile's Request Header insert field will not accomplish what you're looking for. It will not expand an iRule value like [IP::client_addr], but rather takes a static value (ex. TEST=Foo). Further, the Insert X-Forwarded-For option will explicitly insert an "X-Forwarded-For" header into the request. If you want a specific header name other that X-Forwarded-For, you would want to use an iRule:

when HTTP_REQUEST {
    HTTP::header insert X-BIGIP-CALLING-IP [IP::client_addr]
}
0
Comments on this Answer
Comment made 25-Mar-2014 by KOR 90
Hi All, More details, we have a problem concerning the IP source address of our 3G customers. we have a standard load balancing on two monitored servers on port 80. we need to activated (bandwitch) options on Google Chrome moblie the problem is as follows: when this option is enabled the client IP address is changed by googel proxy address or we need to preserve the source of our customer IP address. when this option is not acitve the result is correct. currently the HTTP Profile applied on the VS is : Insert request header: X-BIGIP-CALLING-IP: [IP :: client_addr] Insert X-Forwarder-For: Disabled
0
Comment made 02-Apr-2014 by KOR 90
we have client that connect to the 3G network. client using tablets or smartphone, you connect through the mobile google chrome it activates the bandwidth option in Explorer. our problem is the following: Once activated this option we do not have the source IP of our customer is replaced by IP google chrome when the option is enabled, the X-BIGIP-CALLING-IP field and X-Forwarded-For field displayed IP Proxy Google we want to preserve our IP Source client same with this option enabled It seems that when the table uses the bandwidth option the connection is made as following: Client --> Google --> BIGIP The source IP of the connection reaching the BIGIP is Google's IP address. This is why the X-Forwarded-for header has 66.249.81.10. It looks like Google adds a new header to pass the original IP address from the client: Forwarded: for=105.235.130.92
0
Comment made 02-Apr-2014 by KOR 90
response support: >> It seems that when the table uses the bandwidth option the connection is made as following: Client --> Google --> BIGIP The source IP of the connection reaching the BIGIP is Google's IP address. This is why the X-Forwarded-for header has 66.249.81.10. It looks like Google adds a new header to pass the original IP address from the client: Forwarded: for=105.235.130.92 You may use an iRule to extract the IP address from that header and add it to the X-forwarded-for header. need your help thank you all BR,
0
Comment made 06-Apr-2014 by KOR 90
hi all, please any irule suggest thank you all for your support. BR
0
Comment made 10-Apr-2014 by KOR 90
Hi All, Hope you are fine please any suggestion about this iRule thank u all in advance BR,
0
Comment made 15-Apr-2014 by KOR 90
Hi All, we are still facing this problem. your help please. BR
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It looks like Google adds a new header to pass the original IP address from the client:

Forwarded: for=105.235.130.92

You may use an iRule to extract the IP address from that header and add it to the X-forwarded-for header.

is it something like this?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

e.g.

# config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 2
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } {
    HTTP::header remove X-forwarded-for
    HTTP::header insert X-forwarded-for $ip
  }
}
}

# trace

[root@ve11a:Active:In Sync] config # ssldump -Aed -nni 0.0 port 80
New TCP connection #1: 172.28.24.1(60325) <-> 172.28.24.10(80)
1397563493.0008 (0.0022)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
Forwarded: for=1.2.3.4

---------------------------------------------------------------

New TCP connection #2: 200.200.200.14(60325) <-> 200.200.200.101(80)
1397563493.0028 (0.0018)  C>S
---------------------------------------------------------------
GET / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
Forwarded: for=1.2.3.4
X-forwarded-for: 1.2.3.4

---------------------------------------------------------------
0
Comments on this Answer
Comment made 20-Apr-2014 by KOR 90
Hi nitass, many thnaks for your replay after having applied the irule as you can see the field is replace by @ IP Proxy googel. Forwarded: for=105.235.128.137 >>>> 3G Costumer Scheme: http Via: 1.1 Chrome Compression Proxy X-Psa-Client-Features: bypass,safebrowsing X-Psa-Client-Options: webp-enable User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) CriOS/33.0.1750.21 Mobile/11D169 Safari/9537.53 X-BIGIP-CALLING-IP: 66.249.93.10 >>>> Proxy Google X-Forwarded-For: 66.249.93.10, 192.168.101.54 X-Varnish: 851995049 Many thanks for your help Br,
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

after having applied the irule
as you can see the field is replace by @ IP Proxy googel.

so, does it work or not work?

0
Comments on this Answer
Comment made 20-Apr-2014 by KOR 90
not work :( I had made ​​no changes iRules, are what I must change at irule (ip, value ..)? iRule When HTTP_Request { if {[scan [HTTP :: header Forwarded] {for =% s} ip] == 1} { HTTP :: header remove X-forwarded-for HTTP :: header insert X-forwarded-for $ ip } } } ip our 3G customer >> (105 235 128 137) we want this an address be displayed on the following two fields, but for now it is replaced by proxy google. X-BIGIP-CALLING-IP: 66.249.93.10 Proxy >>>> Google X-Forwarded-For: 66.249.93.10
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

not work :(

can you add some logging in the irule?

e.g.

when HTTP_REQUEST {
  log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]"
  if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } {
    HTTP::header remove X-forwarded-for
    HTTP::header insert X-forwarded-for $ip
  }
}
0
Comments on this Answer
Comment made 22-Apr-2014 by KOR 90
Hi ntass, VS is configured as follows: a profile Http applied and iRule that you sent me. a profile \ service \ http \ Insert Header request (enabled) X-BIGIP-CALLING-IP: [IP :: client_addr] Still the output is the same ip ip proxy google replaces the client. Thank you very much for your support and help I really appreciate. Br,
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

have you added the logging to the irule? what did you get from the log?

0
Comments on this Answer
Comment made 22-Apr-2014 by KOR 90
How i can find on /var/log/ltm Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local <HTTP_REQUEST>: [HTTP::header Forwarded] Br,
0
Comment made 22-Apr-2014 by KOR 90
and that the iRule applied when HTTP_REQUEST { log local0. "\[HTTP::header Forwarded\] [HTTP::header Forwarded]" if { [scan [HTTP::header Forwarded] {for=%s} ip] == 1 } { HTTP::header remove X-forwarded-for HTTP::header insert X-forwarded-for $ip } }
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Apr 22 04:43:46 tmm3 info tmm3[7976]: Rule /VAS/XFW_Log_Local : [HTTP::header Forwarded]

it seems no Forwarded header. is header name correct indeed?

0