Forum Discussion
7 Replies
- dluzziNimbostratus
Hello,
You can enable the X forward header in the HTTP profile assigned to the VS by enabling the Insert X-Forwarded-For checkbox.
You can also setup an iRule:
when HTTP_REQUEST { HTTP::header replace X-Forwarded-For [IP::client_addr] }
- RicoCirrus
The most common solution to this issue is to set up an X-Forwarded-For Header. Enabling this will tell the F5 to add in an HTTP Header that stores the original client IP address. There are a few ways to enable this on an F5, the most common being an iRule such as the one below:
when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::client_addr] }
or just enabling "Insert XFF" in your HTTP profile so that the F5 will do it for you. This article seems to be a perfect read for solving your issue.
If you have any more questions, I am sure I can help.
- Sajan_Mania_381Altostratus
Will this work for VIP with non http port ?
- GymCirrus
Yes, if it is still HTTP protocol, with an HTTP profile.
- F5-GeekNimbostratus
how can we obtain the real client ip address if i am running on performance layer 4 which doesn't use http profile and pass to the back end server.
- Sajan_Mania_381Altostratus
PLease check the below comment from rafaelbn
You could use an iRule to log to the big-ip internal syslog. After that you will need to get this information and correlate ir somehow.
when CLIENT_ACCEPTED { log local0. "Source IP: [IP::client_addr]" }
- GymCirrus
To correlate, you could try logging the server-side source port — [serverside {TCP::local_port}] — at the same time as the client-side source IP — [clientside {IP::remote_addr}]. I believe you can do this all when SERVER_CONNECTED. Like this (untested):
when SERVER_CONNECTED { log local0.info "Client [clientside {IP::remote_addr}] connected to [IP::server_addr]:[serverside {TCP::remote_port}] from port [serverside {TCP::local_port}]" }