Forum Discussion

Anish_5238's avatar
Anish_5238
Icon for Nimbostratus rankNimbostratus
Oct 19, 2007

iRule for REMOTE_ADDR

Hello

 

 

We are using the BigIP in an Auto_map SNAT configuration and in this case the REMOTE_ADDR of the client is replaced by the IP of the BigIP in the webserver logs.

 

 

I understand that enabling X-Forwarded-For adds the real client IP in the HTTP_X_FORWARDED_FOR environment variable in IIS.

 

 

Is there an IRule available which replaces REMOTE_ADDR with HTTP_X_FORWARDED_FOR at runtime so, that IIS always sees the real client IP and not the IP of the F5.

 

 

Thanks in anticipation

 

 

Anish

3 Replies

  • Hi,

     

     

    Are you wanting to log the value in the X-Forwarded-For value or actually use the value in generating the HTML content? If the former, you can use a DLL plugin to log the value. Else, it would probably be easier to modify the scripts running on the servers to parse the value. You could either disable the SNAT or use an iRule to take the XFF value and use it as the source IP in traffic sent to the pool. Either of the last two options would require that the default gateway on the pool members be set to the floating IP of the BIG-IP.

     

     

    Can you clarify what you're trying to do and whether you can set the default gateway of the pool members to the BIG-IP's self IP?

     

     

    Thanks,

     

    Aaron
  • Hello Aaron and thank you for your response. To answer your questions, firstly, the pool members are not using the F5 as the default gateway and they are connected over a VPN. I have to use SNAT "auto map" for the configuration to work.

     

     

    The backend servers have some controls which utilise the "REMOTE_ADDR" variable to process some checks. I am able to enable XFF in the http profile and use the "HTTP_X_FORWARDED_FOR" variable instead of "REMOTE_ADDR" to achieve the desired results. However, I will have to make changes across 25 webservers. It would be great if I can just put an iRule which replaces "REMOTE_ADDR" with "HTTP_X_FORWARDED_FOR" and that is transparent to IIS and the custom application. That way, I simply avoid re-configuration headaches.

     

     

    Let me know if that is possible.

     

     

    Thanks again,

     

    Anish

     

     

     

  • Hi Anish,

     

     

    I believe the REMOTE_ADDR field is parsed from the source address on the TCP packets. So if you need the BIG-IP to perform source address translation to ensure the symmetric routing, you will need to modify the application to parse the HTTP_X_FORWARDED_FOR value instead.

     

     

    Aaron