Source IP in HTTP header when doing SNAT

Question

I have kind of a strange request here, but the customer wants the original IP to be in the HTTP header for the application to read. However, we are doing SNAT on the LTMs, so we're not sure if this is even possible. We're doing global load balancing with LTMs in POPs around the world. So the GTM gets them to the closest LTM, then the "remote" LTM (in the POP) sends the traffic to the main datacenter in the US. We use SNAT between the POP LTM and Data center LTMs. The users' traffic is natted at the POP in order for the network to route it back properly to the appropriate POP they came from. The application sees the source as the POP LTM, but now they also want to see the original source IP as well. Is there an iRule that could accomplish this? Keep the original IP in the HTTP header even though the source IP is being natted? 
&nbsp;  
&nbsp; Here's how the flow works: 
&nbsp;  
&nbsp; User -&gt; POP LTM -&gt; Data center LTM -&gt; server

spark_86682 · Answer

You don't even need an iRule for this; there's a setting in the HTTP profile called "insert xforwarded for" that will insert a header named X-Forwarded-For with the original client's IP address.

eric_oakeson_68 · Answer

Ok, follow up question... Since the user passes through 2 sets of LTMs, will the 2nd set maintain the original client IP or, since the client is SNAT-ed behind the 1st set of LTMs, will the servers see the 1st set of LTMs as the source? Basically will that X-Forwarded-For header be maintained all the way to the server?

spark_86682 · Answer

If you have it configured on both sets of LTMs then (assuming that no other device in the middle changes it) there will be two X-Forwarded-For headers and the first one will have the client's IP. The second LTM shouldn't change the header unless you configure it to. It sounds like you only should configure that header to be inserted on the set of LTMs that can see the client IP.

dennypayne · Answer

Note that most servers are not configured to log XFF by default; there is an ISAPI plugin for IIS here in DevCentral that will modify it to do so.  I believe Apache is not difficult to configure to do this either, but just keep in mind that you will have to modify the server's logging behavior to capture XFF. 
&nbsp;  
&nbsp; Denny

hooleylist · Answer

SOL4816 describes how to insert/parse the XFF header: 
&nbsp;  
&nbsp; SOL4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic being translated by a SNAT (Click here) 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Source IP in HTTP header when doing SNAT

5 Replies

Recent Discussions

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

Related Content

Doing mTLS Authentication per URL

L7 DoS Protection with NGINX App Protect DoS

Concept of F5 Device DoS and DoS profiles

Demonstration of Device DoS and Per-Service DoS protection

DoS Profiles