NimbostratusHello,
Can anyone help me to get the real IP in server.The traffic passing is through VIP listening on https port and the SNAT is enabled to the HTTPS-VIP avoid the routing issue in my environment.
Regards Visvesh.
NimbostratusIf NAT is applied, you are no longer able to see the IP of original source host in TCP-level information at the end-server.
However, Since it's a HTTP(s) service, you can achieve that with the use of HTTP headers. You can instruct F5 to insert the x-forwarded-for HTTP cookie which contains value of the real source IP. This setting can be enabled in Profiles > Services > HTTP_PROFILE_USED_BY_SERVICE
NimbostratusThank you Hannes...Let me check and will update you the status...
Regards Visvesh.
NimbostratusYou're welcome
Detailed information about the solution is available here: http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
There are are some limitations to keep in mind, mainly that the SSL must be terminated in F5
NimbostratusIs there any other option to achieve with i-rule?
Because the SSL offloading is happening at server not in F5.
Regards Visvesh.
NimbostratusI'm assuming most of the requests are coming from real end-users, and not client-servers. Possibly you applied SNAT configuration to make it possible for a few client-servers to access the content.
If that's the case, you can create an iRule to apply SNAT automap only when needed, and not in all use-cases. Typically you only need to apply SNAT when source and destination are in the same network.
Solution with iRule:
when CLIENT_ACCEPTED {
if {[class match [IP::client_addr] equals "data_my_network"]}
snat automap
log local0. "Applied SNAT for IP: [IP::client_addr]"
} else {
do not apply SNAT
return
}
"data_my_network" = address type LTM data-group which contains the network segment where end-servers are located (e.g 192.168.1.0/24). You then need to remove SNAT automap configuration from the virtual server (this has a possible impact and should be done during a scheduled maintenance window).
Other than that, I don't have any solutions for you. If the above is not applicable, you should either create a new network segment to solve the asymetric routing issue, or ask to migrate the SSL termination to F5.