Forum Discussion
5 Replies
- Hannes_RappNimbostratus
If NAT is applied, you are no longer able to see the IP of original source host in TCP-level information at the end-server.
However, Since it's a HTTP(s) service, you can achieve that with the use of HTTP headers. You can instruct F5 to insert the x-forwarded-for HTTP cookie which contains value of the real source IP. This setting can be enabled in Profiles > Services > HTTP_PROFILE_USED_BY_SERVICE
- Enable the "Insert X-Forwarded-For" setting
- Visvesh_138292Nimbostratus
Thank you Hannes...Let me check and will update you the status...
Regards Visvesh.
- Hannes_RappNimbostratus
You're welcome
Detailed information about the solution is available here: http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
There are are some limitations to keep in mind, mainly that the SSL must be terminated in F5
- Visvesh_138292Nimbostratus
Is there any other option to achieve with i-rule?
Because the SSL offloading is happening at server not in F5.
Regards Visvesh.
- Hannes_RappNimbostratus
I'm assuming most of the requests are coming from real end-users, and not client-servers. Possibly you applied SNAT configuration to make it possible for a few client-servers to access the content.
If that's the case, you can create an iRule to apply SNAT automap only when needed, and not in all use-cases. Typically you only need to apply SNAT when source and destination are in the same network.
Solution with iRule:
when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals "data_my_network"]} snat automap log local0. "Applied SNAT for IP: [IP::client_addr]" } else { do not apply SNAT return }
"data_my_network" = address type LTM data-group which contains the network segment where end-servers are located (e.g 192.168.1.0/24). You then need to remove SNAT automap configuration from the virtual server (this has a possible impact and should be done during a scheduled maintenance window).
Other than that, I don't have any solutions for you. If the above is not applicable, you should either create a new network segment to solve the asymetric routing issue, or ask to migrate the SSL termination to F5.