Preserve Client IP in HTTP Header when using SNAT

Question

Hi&nbsp;
&nbsp;i am trying to configure an iRule to preserve the client ip address when connecting to a VS.  i have configured the following iRule, and added to the VS, but when i view the IIS logs on the web server they are still showing up the LB address.  any ideas where how I &nbsp;
&nbsp;when HTTP_REQUEST { 
&nbsp; HTTP::header insert ORIG_CLIENT_IP [IP::remote_addr] 
&nbsp;   }&nbsp;
&nbsp;i am new to iRules so any help would be grateful, thanks&nbsp;&nbsp;

chad_roberts_21 · Answer

I think the only thing wrong with your iRule is that you're using [IP::remote_addr] instead of [IP::client_addr]. Be definition, you're using the end IP, not the start.
However, if you're trying to add this header to ALL traffic on that virtual server without putting in any additional logic, you'd be better off simply adding the header in the HTTP profile. There is a "Header Insert" option there where you could place it instead. Instead of the syntax you used above, I believe it would beORIG_CLIENT_IP:[IP::client_addr]
(Edit - I mistyped the one above the first time. Oops...)
Also, note the option in there called "Insert XForwarded For." This does the exact same thing you're trying to do, except the name of the header is "X-Forwarded-For" instead of "ORIG_CLIENT_IP".

hooleylist · Answer

I think deathbywedgie's suggestion is easier to insert the original client IP address in the XFF header, than using a rule.  &nbsp;
&nbsp;We also have an IIS plugin you can install on the web servers to parse the header.  Check this post for details:&nbsp;&nbsp;Click here&nbsp;
&nbsp;Aaron

julien_virag_48 · Answer

Hello,
&nbsp;I tried your sugestion of inserting a custom header to replace the client IP but I am still getting the SNAT IP in the ISS logs. Do you have this functionalty working? I am not keen to use the x-forward header as this would require an ISAPI filter to be installed on the IIS server which (unfortunately) is not an option.&nbsp;
&nbsp;How does the ISS log interpret the ORIG_CLIENT_IP &amp; change it into the W3C format c-ip (client IP)? Should the header be c-ip:[IP::client_addr]?

hooleylist · Answer

IIS won't log custom headers by default, which is why the DLL is necessary.  The source code for the DLL is included, so you can see what it is doing if that's your concern.&nbsp;
&nbsp;Else, you could reconfigure your network so you don't need to enable source address translation.  This seems like a drastic step to take just to avoid installing a DLL/get the correct client IP address logged.&nbsp;
&nbsp;Aaron

huw_jenkins_425 · Answer

Thanks Guys&nbsp;
&nbsp;I have now managed to get this working, i downloaded the dll as mentioned, installed it as an ISAPI filter on the web server, Enababled "Insert XForwarded For " in the http profile, and removed my attempt at writing an irule.  Now when i look in the IIS Logs on teh web server the source address appears instead of the LB address&nbsp;&nbsp;

Forum Discussion

Preserve Client IP in HTTP Header when using SNAT

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Akamai True-Client-IP Header Persistence

HTTP POST redirect preserving POST data

Security headers

Insert Client Certificate In Serverside HTTP Headers