Forum Discussion
Pretty simple resolution like hoolio suggested here are the config steps I needed.
use case: customer wanted external clients client source ip for application functions and also wanted to have source ip of internal clients as well
created http profile with insert-X-forward-For and Accept XFF with the Virtual Server using client side cert to decrypt the 443 traffic on client ssl profile and default serverssl for server side ssl profile on the AFM/LTM F5
On the ASM/LTM F5 I'm simply using LTM at the moment but cert is required for client side if leveraging ASM feature to allow packet inspection.
Last hop :) internal network includes http profile with insert-X-forward-For and Accept XFF to allow internal clients to pass client source ip to that particular f5 virtual server client ssl profile cert to decrypt traffic and default server side sslprofile cert.
Here is an iRule monitor that assisted me in seeing the X-forward -For traffic when testing.
when HTTP_REQUEST { set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]" log local0. "=============================================" log local0. "$LogString (request)" foreach aHeader [HTTP::header names] { log local0. "$aHeader: [HTTP::header value $aHeader]" } log local0. "=============================================" } when HTTP_RESPONSE { log local0. "=============================================" log local0. "$LogString (response) - status: [HTTP::status]" foreach aHeader [HTTP::header names] { log local0. "$aHeader: [HTTP::header value $aHeader]" } log local0. "============================================="
}