Forum Discussion

Donster_297784's avatar
Donster_297784
Icon for Nimbostratus rankNimbostratus
Apr 09, 2017

SNAT/X-Forwarded

Hey guys,   Bit of a weird one this. So I have 2 HA pairs both SNAT'ing but require the x forwarded to preserve the original source IP to due an access control for the client IP on the end server....
application delivery
devops
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 09, 2017

Hi ,

you could either insert the 

X-Forwarded-For
header just on the first HA pair and disable the 
X-Forwarded-For
insertation on the second HA pair (see HTTP Profile options).

Alternatively you can use the following iRule on the second unit to consolidate multiple 

X-Forwarded-For
's into a single header.

when HTTP_REQUEST {
    if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
    } else {
        HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
    }
}

The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:

Incomming HTTP request headers:

GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1  
X-Forwarded-For: 2.2.2.2, 3.3.3.3
X-Forwarded-For: 4.4.4.4

Outgoing HTTP request headers

GET / HTTP/1.1  
Host: site.domain.de  
... 
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5

Note: When using the iRule on your second HA pair, then make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile on those devices. The insert will be already handled by this iRule...

Cheers, Kai