Forum Discussion

Andreas_Lamprec's avatar
Andreas_Lamprec
Icon for Nimbostratus rankNimbostratus
Nov 28, 2017

HTTP::Header not working when there is no header in the client request

Hi!

What i am trying to achieve is to exclude the health-checks from the webservers log. But it turns out there is a more general issue which i'm trying to understand/solve.

The setup consists of a loadbalancer configured as L7-Firewall in front of another loadbalancer doing "normal" things. The L7-Firewall does health-checks with the standard HTTP monitor.

Since the "normal" loadbalancer is a one-armed setup, i need SNAT and want to add x-forwarded-for header to ALL requests.

Requests from normal clients are having the x-forwarded-for header added. But for the health-checks from the L7-firewall, which come in as simple as "GET /", no header is added...

I tried numerous ways: using the HTTP profile "switch" and using an IRule. Both methods aren't working. The HTTP_Request event is triggered, but the header is not inserted....

The following IRule is used:

when HTTP_REQUEST {
    log local0. "HTTP_REQUEST before insert [IP::client_addr]"
    HTTP::header insert X-Forwarded-For [IP::client_addr]
    log local0. "HTTP_REQUEST after insert [IP::client_addr]"
    }
    
when HTTP_REQUEST_SEND {
   log local0. "HTTP_REQUEST reached [IP::client_addr]"
   
   clientside {
      log local0. "HTTP_REQUEST_SEND before insert"
      HTTP::header insert X-Forwarded-For [IP::client_addr]
      log local0. "HTTP_REQUEST_SEND after insert"
      log local0.info "Content of X-Forwarded-For: [HTTP::header X-Forwarded-For]"   
   }
}

The output in /var/log/ltm for a L7-Firewall health check is as follows (dates removed):

Rule /External/XFF_Add : HTTP_REQUEST before insert 1.2.3.4%1
Rule /External/XFF_Add : HTTP_REQUEST after insert 1.2.3.4%1
Rule /External/XFF_Add : HTTP_REQUEST reached 1.2.3.4%1
Rule /External/XFF_Add : HTTP_REQUEST_SEND before insert
Rule /External/XFF_Add : HTTP_REQUEST_SEND after insert
Rule /External/XFF_Add : Content of X-Forwarded-For:

Any ideas how to solve that?

Of course the easiest solution would be to change the health-check on the L7 firewall, but unfortunately i do not have any influence to the setup of the L7-firewall.

Thanks in advance!

Andreas

1 Reply

  • Never had such issue. may be the irule fails to insert this header if HTTP version is HTTP/1.0 ( default version when monitor is GET /)

     

    did you try to configure Insert X-Forwarded-For in HTTP profile instead of irule?