X-FORWARDED-FOR AND ERASING SNAT IP FROM APACACHE LOGS

The XFF header is a layer 7 object, while the SNAT address is a layer 4 value. You cannot use an iRule to change the SNAT address without altering routing and potentially defeating the reason you're using SNAT in the first place.

I would suggest tailoring the Apache log config to ignore the source address, the %h LogFormat value, and perhaps replacing it with the XFF header value \"%{X-Forwarded-For}i\"

The admin tried the %h and mentioned there was a comma seperated value issue. The strange thing is I do not see this on other device vips:

146.180.106.231 - - [09/Jul/2014:14:04:45 -0500] "POST /XXXXXX HTTP/1.1" 200 1177 "XXXXXX" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

66.150.110.71 - - [09/Jul/2014:14:04:55 -0500] "POST /XXXXXX HTTP/1.1" 200 25 "xxxxxxxxxxxxxxxxxx" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

So what does it look like if you do something like this?

LogFormat "\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat ""%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" common

Hi folks,

I am facing the same problem, where the XFF is working but I still receiving the selfip sometimes on the APACHE's log.

Would you help me out with this?

Thank you, Gabriel Castro

You're basically getting two different IP addresses in different data streams. One is coming from an HTTP header (layer 7) and the other at TCP/IP layer 3. If you don't want the layer 3 address, then you need to configure your Apache logs to ignore this value.

if going through multiple proxies, the XFF will end up as a list instead of single IP. You'd need to split the list and select one of them (like NOT the self) and then do a header replace on XFF.

Related Info:

XFF returning multiple IPs

Using XFF to block IPs