Forum Discussion

bsb's avatar
bsb
Icon for Nimbostratus rankNimbostratus
Feb 13, 2018

xforward-for doesnt work

to fetch real client ip. Scenario : Client Machine -- > Proxy (Xforward for enabled) ----> Lb ---> Backend Server (url configured) when client tries to access a url, request is forwarded to proxy for ssl offload and further forwarded to LB, incoming of packet can see internal interface ip(pool of ip's) of Proxy. if i enable xforwarded-for in Lb via iRule, i dont see the real client ip, rather could see proxy pool ip only, but on backend server able to see the real xforwarded-for header with client ip. am i missing something here.

 

LTM
security

4 Replies

Sort By
  • bsb's avatar
    bsb
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2018

    requirement is to see the real client ip in system - > logs -- > local traffic and check which back end server is accepting the incoming client request,

     

    inbound log is already enabled and currently could see the incoming client ip as proxy interface pool ip.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 13, 2018

    The challenge isn't so much if it works or doesn't, but how that data is presented to BIG-IP, and how you choose to manage it. You can receive multiple X-Forwarded-For headers with a single IP, or a single X-Forwarded-For header with multiple IPs, or some combination of the two. It could also be that there is another similar header name used for XFF that your backend server is reading, but you'd need a dump of the headers to know for sure.

     

  • bsb's avatar
    bsb
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2018

    Below http request iRule displays real ip in system - > logs -- > local traffic when HTTP_REQUEST { if { [HTTP::header exists X-Forwarded-For] } { log local0. "Received XFF from [IP::client_addr]: [HTTP::header X-Forwarded-For]"

     

    } }

     

    but i don't see the incoming request landing on backend server even if i add the below irule.

     

    when CLIENT_ACCEPTED {

     

    set vip [IP::local_addr]:[TCP::local_port] } when SERVER_CONNECTED {

     

    set client "[IP::client_addr]:[TCP::client_port]"

     

    set node "[IP::server_addr]:[TCP::server_port]" log local0. "Client $client -> VIP: $vip -> Node: $node"

     

    }

     

    could you please let me know how to combine both http_request and client_accepted irule so that the logs would be displayed in system - > logs -- > local traffic

     

    as

     

    XFF IP -- > VIP -- > Backend Server IP

     

  • bsb's avatar
    bsb
    Icon for Nimbostratus rankNimbostratus
    Feb 15, 2018

    (edited by admin to put in code blocks)

     

    when HTTP_REQUEST {
    set CLIENT_ADDR [IP::client_addr]
    set XFF [HTTP::header X-Forwarded-For]
     set vip [IP::local_addr]:[TCP::local_port]
    }

when HTTP_RESPONSE {
    log local0. "SRC:$CLIENT_ADDR XFF:$XFF vip:$vip backend_server:[LB::server addr]:[server_port]"
}

    above case worked out.