Preserve client ip (Stealth LB)

Question

Hello Everybody,
I made a search through discussions to see if this subject is covered, and apparently it is not. 
I have several applications running on my servers behind my Big-IP 10.2.x LB, and before they were behind LB, they were reading and using client's IP in several manners.
I know i can use x-forwarding-for or any other fields in http header to pass the client ip to the server, but I cannot change my software to adapt the new system.
What I have to do is, if it is possible, make the LB stealth and the server will see the real client's IP address rather than LB's IP address.
Is it possible to assign a new value to client_addr in any context? 
P.S. how the client ip address is read in the application is as follows:
---------------------------------------------------------Java
getRemoteAddr

Returns the Internet Protocol (IP) address of the client or last proxy that
sent the request. For HTTP servlets, same as the value of the CGI variable
REMOTE_ADDR.

Returns: 
a String containing the IP address of the client that sent the request
---------------------------------------------------------
Thanks in advance,
-Comex

hooleylist · Answer

Hi Comex, 
&nbsp;  
&nbsp; Is this for IIS only?  If so, here's a possible solution: 
&nbsp;  
&nbsp;  
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/31/afv/topic/aft/1178815/afc/1227279/Default.aspx 
&nbsp; Posted By rjordan on 05/06/2011 12:53 PM  
&nbsp; Regarding something simple to attempt, try installing ARR Helper for IIS (http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx). This will rewrite the REMOTE_ADDR value with the X-Forwarded-For value. We've used this when we have to deal with some closed source applications that can't be updated to look at X-Forwarded-For. I don't think it rewrites the source IP in the web logs, though. 
&nbsp;  
&nbsp;  
&nbsp; Another option would be to modify the servers to set the default gateway to an LTM self IP and then disable SNAT.   
&nbsp;  
&nbsp; Aaron 
&nbsp; Aaron

comex_17260 · Answer

Hey Hoolio, 
&nbsp; Thanks for your response. 
&nbsp;  
&nbsp; although one of the server is IIS, my problem is about the source code as I cannot change it. 
&nbsp; I was trying to assign client ip to LB's local IP when the connection is made from the client to server through LB. I hope that when this is done, the server will see/think that the remote address in https request is client ip rather than LB's IP. 
&nbsp;  
&nbsp; The servers get IP from the LB, but SNAT is opened because the servers start request to outside (e.g. sending mail) 
&nbsp;  
&nbsp; If this can be done without changing any other part of my whole network, i am saved. 
&nbsp;  
&nbsp; -Comex

nitass · Answer

if you cannot change code, i think server has to set f5 as default gateway. then you will be able to disable snat, so server will see real client ip address.

Forum Discussion

Preserve client ip (Stealth LB)

3 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

HTTP POST redirect preserving POST data

Enhance your Application Security using Client-side signals

iRule based RADIUS Client Stack

Using Client Subnet in DNS Requests

iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)