Forum Discussion

Mark_Ufland_579's avatar
Mark_Ufland_579
Icon for Nimbostratus rankNimbostratus
Sep 19, 2012

Loosing Client IP Addresses

We have a new virtual production environment that is using F5s. We have web applications that are load balanced and the traffic comes down an HTTPS line from the client through the firewall to the F5 and onto the web servers. Unfortunately as the traffic goes through the F5s it looses the clinet IP and gets replaced with the IP of the the F5. We have been given a solution from our hardware guys of the following:

 

SSL termination has to be done on the F5’s, this will allow the F5 to insert the HTTP x-forward header as it cannot read the stream if the SSL is getting terminated on the webserver. The traffic will then go to the web server over HTTP.

 

I'm not sure if this is the correct forum for this but I just want to know if this is the best solution or should we be doing something else

 

 

Thanks.

 

config
design

1 Reply

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 19, 2012
    Hey Mark. Generally speaking, unless you have SNAT setup, there's no reason you should be loosing the client source IP address. Is SNAT configured? Can it be turned off? If SNAT is a requirement for any reason then yes the best way to go would be to terminate SSL on the F5's and apply a HTTP Profile to the Virtual Server which is configured with XFF header insertion enabled. You could still use SSL to the web servers using a ServerSSL profile as well as the ClientSSL profile.