newbie Q regarding V10, custom log headers and SSL

Question

Hi all, 
&nbsp;  
&nbsp; I apologise in advance for a newbie question as I have little experience in this area, however I can't find the answer I'm looking for. I think what I need to do is pretty straightforward. 
&nbsp;  
&nbsp; I have an ssl virtual server set to terminate and forward to a pool of weblogic instances ( just tcp port 8001 on a 2 server pool ). This part works without issue. 
&nbsp;  
&nbsp; What I want to do is preserve the client ip using the custom weblogic header - WL-Proxy-Client-IP. 
&nbsp;  
&nbsp; So I add an irule ( shamelessly copied from a post on here - thanks ! ) 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp; HTTP::header insert WL-Proxy-Client-IP [IP::client_addr] 
&nbsp; } 
&nbsp;  
&nbsp; The question is - where do I apply the rule ? Is it correct to add an http profile to the ssl virtual server and apply the irule there ? 
&nbsp;  
&nbsp; TIA, 
&nbsp; Dave

hooleylist · Answer

Hi Dave, 
&nbsp;  
&nbsp; Welcome to the forums.  Glad you were able to find an example that worked for you. 
&nbsp;  
&nbsp; You can configure this on a custom HTTP profile.  Set the 'header to insert' to WL-Proxy-Client-IP: [IP::client_addr] and the header to erase as WL-Proxy-Client-IP.  This ensures any existing WL-Proxy-Client-IP header will be removed before a new one is inserted.   
&nbsp;  
&nbsp; You could also do this with an iRule, but the HTTP profile option is a bit simpler to configure. 
&nbsp;  
&nbsp; Aaron

dsnaithd_104244 · Answer

Aaron, 
&nbsp;  
&nbsp; thanks for the quick response - have implemented your idea with not a great deal of success unfortunately. 
&nbsp;  
&nbsp; What I didn't mention is that we have a SNAT applied ( hence the need for the header ) - are you aware of any config required when using SNAT and custom headers ?  
&nbsp;  
&nbsp; Its entirely possible however, and quite likely, that the header is indeed being set and ignored at the weblogic end, thats something I have yet to verify.  
&nbsp;  
&nbsp; cheers, 
&nbsp; Dave

hooleylist · Answer

Hi Dave, 
  
 The header insert option will work with/without SNAT.  You can check that the header is being inserted by adding a logging iRule or using tcpdump:

when HTTP_REQUEST { 
  
     Log the WL-Proxy-Client-IP header value 
    log local0. "WL-Proxy-Client-IP value: [HTTP::header value WL-Proxy-Client-IP]" 
  
 }

tcpdump -ni 0.0 -Xs0 host NODE_IP and port NODE_PORT 
  
 Aaron

dsnaithd_104244 · Answer

Thanks Aaron - fyi I can verify the header is being written, so off to the weblogic config we go. 
&nbsp;  
&nbsp; Thanks for your time and help. 
&nbsp;  &nbsp;

Forum Discussion

newbie Q regarding V10, custom log headers and SSL

4 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Query Regarding extramb

Question & Answer: Regarding CVE-2020-5902

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

Security headers

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing