Forum Discussion

Donster_297784's avatar
Donster_297784
Icon for Nimbostratus rankNimbostratus
Apr 09, 2017

SNAT/X-Forwarded

Hey guys,

 

Bit of a weird one this. So I have 2 HA pairs both SNAT'ing but require the x forwarded to preserve the original source IP to due an access control for the client IP on the end server.

 

The traffic comes in on the first pair, I SSL offload, I then use server-side incompatible to pass it on the next pair. It then hits the next pair so would it be best just to make this pass through and then hit the SNAT again to reach the end server? I have in my head this would work but I may be missing something.

 

The key to it is basically having the original client IP available when it reaches the end server.

 

Thanks for the input!

 

2 Replies

  • Hi ,

    you could either insert the

    X-Forwarded-For
    header just on the first HA pair and disable the
    X-Forwarded-For
    insertation on the second HA pair (see HTTP Profile options).

    Alternatively you can use the following iRule on the second unit to consolidate multiple

    X-Forwarded-For
    's into a single header.

    when HTTP_REQUEST {
        if { [set x_forwarded [HTTP::header values "X-Forwarded-For"]] ne "" } then {
            HTTP::header remove "X-Forwarded-For" 
            HTTP::header insert "X-Forwarded-For" "[join $x_forwarded ", "], [getfield [IP::client_addr] "%" 1]"
        } else {
            HTTP::header insert "X-Forwarded-For" "[getfield [IP::client_addr] "%" 1]"
        }
    }
    

    The iRule will collect any existing X-Forwarded-For header values, then remove any existing X-Forwarded-For headers and finally create a new one with the collected values + the current "X-Forwarded-For" value. E.g.:

    Incomming HTTP request headers:

    GET / HTTP/1.1  
    Host: site.domain.de  
    ... 
    X-Forwarded-For: 1.1.1.1  
    X-Forwarded-For: 2.2.2.2, 3.3.3.3
    X-Forwarded-For: 4.4.4.4 
    

    Outgoing HTTP request headers

    GET / HTTP/1.1  
    Host: site.domain.de  
    ... 
    X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5
    

    Note: When using the iRule on your second HA pair, then make sure to disable the automatic X-Forwarded-For insert option in your HTTP profile on those devices. The insert will be already handled by this iRule...

    Cheers, Kai

  • Hi Donster,

    just the 1st pair has to insert the

    X-Forwarded-For
    header. This can be done by using a Standard VS with HTTP Profile attached and either
    X-Forwarded-For
    HTTP Profile settings enabled or by disabling the
    X-Forwarded-For
    HTTP Profile settings and deploying an iRule like this...

    when HTTP_REQUEST {
        HTTP::header remove "X-Forwarded-For" 
        HTTP::header insert "X-Forwarded-For" [getfield [IP::client_addr] "%" 1]
    }
    

    Note: You could also use the iRule of my previous post, if you need to consolidate existing

    X-Forwarded-For
    headers into a unified header.

    On the second unit you may also use a Standard VS with HTTP Profile attached - but you don't have to. If a HTTP Profile is getting attached, then you have to make sure that the

    X-Forwarded-For
    HTTP Profile settings are disabled.

    Cheers, Kai