Forum Discussion

David_Raimist_1's avatar
David_Raimist_1
Icon for Nimbostratus rankNimbostratus
Jul 07, 2006

Looking for help with Incoming IP address within

We are utilizing a "one arm router" config and the remote IP address is coming from the LB. We are using "Insert XForwarded For" in the profile and F5 isapi filter to write the original/incoming IP address to our weblogs.

 

 

I now have a need to be able to identify the actual incoming IP address (not the LB IP) to control access to a classic ASP / MS SQL application. We want to control access to the application based on incoming IP address from an entire organization.

 

 

How would this be done from asp? Do we need to utilize iRules? Is there a tool set/api to utilize?

 

 

If you can point me in the right direction and/or provide some direction that would be greatly appreciated.

 

 

david

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2006
    Hi David,

    In a one arm configuration, the BIG-IP can insert the original client IP address in the XForwarded-For header. After processing the request, the BIG-IP replaces the source IP address with the SNAT address.

    You can still access the client IP address using 'IP::remote_addr' in the CLIENT_ACCEPTED, HTTP_REQUEST and other client side contexts.

    If you want to perform ACL-type restrictions on the source IP address, you can create a datagroup (or class) of networks or IP addresses and then use the match_class function to see if the client's IP address meets your access criteria.

    
class my_hosts_networks_class  {
   network 10.0.0.0 mask 255.0.0.0
   host 192.168.0.100
}

    rule filter_clients_rule {
   when CLIENT_ACCEPTED {
       set debug to 1 to enable logging to /var/log/ltm. Set to 0 to disable logging.
      set debug 1
      if { [matchclass [IP::remote_addr] equals $::my_hosts_networks_class] } {
         if { $debug } {
            log local0.info "Allowed client: [IP::remote_addr]"
         }
         pool http_pool
      } else {
         pool nonsecure_pool
      }
   }
}

    On the other hand, if you're trying to parse the XForwarded-For header on the application server and make decisions based on that, I wouldn't know where to start.

    Aaron
  • David_Raimist_1's avatar
    David_Raimist_1
    Icon for Nimbostratus rankNimbostratus
    Jul 07, 2006
    Thanks Aaron. I was able to find what I needed. I found the following code that allowed me access to the x_forwarded IP address. Here is what I found:

     

     

     

    Dim sIPAddress

     

    sIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")

     

    If sIPAddress="" Then sIPAddress = Request.ServerVariables("REMOTE_ADDR")

     

     

    So, the HTTP_X_FORWARDED_FOR server variable seems to contain the original IP Address.

     

     

    Thanks again,

     

    david