Forum Discussion

Chris_Schaerli_'s avatar
Chris_Schaerli_
Icon for Nimbostratus rankNimbostratus
Sep 28, 2008

tracking user sessions when snatting

I am looking at changing configuration for load balancing so that we use a snat pool rather than passing the original client IP back to the webservers. Snat will save me many headaches with routing, but I have a group of people that deal with web analytics and they have using the Apache HTTP logs to track site usage. The logs will only show that Snat IP so all their tracking kind of goes out the window. I was thinking about trying to insert the client IP into the headers and maybe they can log off of that, but I was wondering if anyone else had ideas for a good way to track sessions without a unique source IP.

3 Replies

  • This is a common on problem encountered when using HTTP accelleration/security devices. Most people use the X-Forwarded header. It is common practice and most good apps are capable of analysing it. There is an option under the http profile to enable the X-Forwarded header.

     

     

    Other than that you could use cookie tracking, but then you have client side issues like browsers and security software to contend with.
  • As skottieb suggested, using an XFF header is the typical way to track the original client IP address for HTTP requests through a device which performs source address translation to ensure symmetric routing. SOL4816 has some additional information on hwo to configure IIS and Apache to log the custom header (Click here). If you are using the XFF header for something other than reporting, you should consider removing any existing XFF headers in the request. You can do this by configuring the HTTP profile's 'Request Header Erase' field with X-Forwarded-For.

     

     

    Aaron
  • Ok this sounds pretty simple. One question though, what if I have one user's session passing though the LTM more than once as part of the traffic?

     

    User--->F5--->Proxy--->F5---->HTTP

     

     

    Will the proxy IP replace the client IP if the XFF header option is used for both VIPS?