Http header Rewrite ( Ip source address)

Answered Question
Jun 8th, 2010
User Badges:

Hi,


Is it possible, using "http header rewrite" ACE feature to replace the S-NAT ip address by the real ip source address in a http request.


Thanks

Correct Answer by Pablo about 6 years 11 months ago

Hi Selim,


You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.


What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:


policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"


Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.


As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here


http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx


I hope this helps.

__ __

Pablo

Cisco TAC

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Pablo Tue, 06/08/2010 - 21:01
User Badges:
  • Cisco Employee,

Hi Selim,


You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.


What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:


policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm web

   insert-http X-Forwarded-For header-value "%is"


Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.


As per my experience there's no much problems to enable this logging on HTTP servers ( Apache)  as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here


http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx


I hope this helps.

__ __

Pablo

Cisco TAC

Actions

This Discussion