Forum Discussion

YossiV's avatar
YossiV
Icon for Nimbostratus rankNimbostratus
Jul 24, 2016

OneConnect And RealClientIP

Hi, we started to deploy the Oneconnect mode on one of our Vservers. it works fine but the issue is that it is a BO system and i need to see the RealClientIP of each http request for reports etc.. since we started to use Oneconnect, the IP addresses is not match to the real login agent. for example if i am making login i see that my source address coming from a different agent that was making login a min ago and not my IP. i enabled on the http profile the option for Insert X-Forwarded-For and also created the following irule :

 

when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] }

 

but still i see that the realclient ip of the agent is not belong to him.

 

application delivery
iRules
LTM
oneconnect

9 Replies

Sort By
  • YossiV's avatar
    YossiV
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2016

    i was thing of using this Irule

     

    when HTTP_REQUEST { if {[HTTP::header exists "X-Real-IP"]}{ snat [HTTP::header "X-Real-IP"] } elseif {[HTTP::header exists "X-Forwarded-For"]}{ snat [HTTP::header "X-Forwarded-For"] } else { return } }

     

  • YossiV's avatar
    YossiV
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2016

    ok issue was solved after enabling the XFF on the http profile and using the above irule, the issue solved

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jul 24, 2016

    You can also use the netmask of 255.255.255.255 within the OneConnect profile in order to retain the real client IP at the server level.

     

  • YossiV's avatar
    YossiV
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2016

    Well so i though i solved the issue but it seems like i didn't. Using /32 solved the issue but the server side connection started to jump, since its a service that open to the whole world it will keep each session open. So i used the default oneconnect profile and used the irule I wrote above but it didn't work it. Any idea how can i use the one connect and not loosing the real client ip..

     

    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jul 25, 2016

      Did you solve the problem or still need assistance ?

       

      Have you tried using XFF header within the HTTP profile and used the XFF header to obtain the original client IP @ the server level ?

       

    • YossiV's avatar
      YossiV
      Icon for Nimbostratus rankNimbostratus
      Jul 25, 2016

      Hi Odaah no i still didn't find a solution. i tried using the Http profile with "Insert X-Forwarded-For" and than assign the irule:

      when HTTP_REQUEST {
if {[HTTP::header exists "X-Real-IP"]}{
    snat [HTTP::header "X-Real-IP"]
}
elseif {[HTTP::header exists "X-Forwarded-For"]}{
    snat [HTTP::header "X-Forwarded-For"]
}
else {
    return
}

      but it didn't work, i still see clients reaching to my Bo site with addresses that belongs to other client. (example client from China got an address that belong to Client from US) when client generated a report he saw that someone logged in from US and made a deposit. i was needed to Calm him down and explain him that its not a fraud 🙂

      maybe the irule is not correct.

    • YossiV's avatar
      YossiV
      Icon for Nimbostratus rankNimbostratus
      Jul 27, 2016

      Ok so i think i know what is my issue: https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9816.html?sr=21470362 i am also using ASM module. so that might be the issue :\

       

  • YossiV's avatar
    YossiV
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2016

    Hi Boneyard. Yes i did it, but when i changed the connection to /32 prefix the connections started to jump from 300 to 1200, so it wasn't a good idea. Enabling Auto Map gave me the F5 local IP.