https://community.cisco.com/t5/data-center-and-cloud-knowledge-base/insert-source-ip-to-an-already-loadbalanced-http-traffic-or-if/ta-p/3127041 <P><LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"></LI-TOC></P><P>&nbsp;</P><P>&nbsp;</P><H2>Introduction</H2><P>In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors.</P><P>&nbsp;</P><P>HTTP header insertion is used to identify the original source IP address of SNATed packet. The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.</P><P>&nbsp;</P><H2>Insert or Modify HTTP Header</H2><P>The ACE is able to insert or modify HTTP header using an Layer 7 policy. This is mentioned in detail in the <A href="http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html#wp1131842" rel="nofollow" target="_blank">configuration guide</A>.</P><P>&nbsp;</P><P>Here is a sample config which will insert a header with the src IP, as per SLB configuration guide:</P><P>&nbsp;</P><P>action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header insert request ISPx-HEADER-CLIENTSRCIP header-value %is</P><P>&nbsp;</P><P>policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICYMAP</P><P>&nbsp; class class-default</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp;</P><P>In this example, the src IP gets inserted into a header called ISPx-HEADER-CLIENTSRCIP. Alternatively, one can name the header “X-Forwarded-For” to comply with the standard instead of “ISPx-HEADER-CLIENTSRCIP”. But in case some other proxy has already set the “X-Forwarded-For” header before; then the ACE would add another header with the same name instead of inserting the IP in the existing header (this is the expected behavior for the “header insert” command). Some servers will then concatenate the content of identical headers to form a chain of Source IPs (eg: Apache), some won’t.</P><P>&nbsp;</P><H2>Insert Source IP to an existing XFF list</H2><P>To add the source IP to an already existing list of XFF IP addresses instead, the command “header rewrite” action should be used on the ACE:</P><P>&nbsp;</P><P>header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"</P><P>&nbsp;</P><P>But because this “header rewrite” action would only work if the header already exists, the SLB policy would first need to have a class to check whether the header is present or not before it decides to do either an insert or a rewrite. The configuration would become:</P><P>&nbsp;</P><P>class-map type http loadbalance match-all EXISTING-XFF-HEADER-CLASSMAP</P><P>&nbsp; 5 match http header X-Forwarded-For header-value ".*"</P><P>&nbsp;</P><P>action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header insert request X-Forwarded-For header-value %is</P><P>&nbsp;</P><P>action-list type modify http HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"</P><P>&nbsp;</P><P>policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICY</P><P>&nbsp; class EXISTING-XFF-HEADER-CLASSMAP</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; class class-default</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp;</P><H2>Verify</H2><P>One should test for a header insertion followed by a header rewrite to validate both behaviors as working. This could be done with a scenario where you have multi-tiered load-balancing where the first tier does an insert because no XFF header is present, and a second tier does a rewrite after detecting the header is present.</P><P>&nbsp;</P><P>You could use a packet dump on the rservers to validate the header insertion / rewrite.</P><P>&nbsp;</P><H2>Related Information</H2><P><A href="https://community.cisco.com/document/88456/health-monitoring-best-practices-cisco-ace" target="_blank">Health Monitoring Best Practices for Cisco ACE</A></P><P><A href="https://community.cisco.com/document/91051/management-features-and-capabilities-ace-appliance" target="_blank">Management Features and Capabilities on ACE appliance</A></P><P><A href="https://supportforums.cisco.com/document/81676/insert-www-url-client-request-using-ace" target="_blank">Insert WWW in the URL of client request using ACE</A></P><P><A href="https://supportforums.cisco.com/document/111856/load-balance-multiple-networks-ace-sharing-common-vlan" target="_blank">Load Balance Multiple Networks on ACE Sharing a Common VLAN</A></P> Tue, 29 Aug 2017 11:38:54 GMT Sandeep Singh 2017-08-29T11:38:54Z https://community.cisco.com/t5/data-center-and-cloud-knowledge-base/insert-source-ip-to-an-already-loadbalanced-http-traffic-or-if/ta-p/3127041 <P><LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"></LI-TOC></P><P>&nbsp;</P><P>&nbsp;</P><H2>Introduction</H2><P>In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors.</P><P>&nbsp;</P><P>HTTP header insertion is used to identify the original source IP address of SNATed packet. The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.</P><P>&nbsp;</P><H2>Insert or Modify HTTP Header</H2><P>The ACE is able to insert or modify HTTP header using an Layer 7 policy. This is mentioned in detail in the <A href="http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/classlb.html#wp1131842" rel="nofollow" target="_blank">configuration guide</A>.</P><P>&nbsp;</P><P>Here is a sample config which will insert a header with the src IP, as per SLB configuration guide:</P><P>&nbsp;</P><P>action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header insert request ISPx-HEADER-CLIENTSRCIP header-value %is</P><P>&nbsp;</P><P>policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICYMAP</P><P>&nbsp; class class-default</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp;</P><P>In this example, the src IP gets inserted into a header called ISPx-HEADER-CLIENTSRCIP. Alternatively, one can name the header “X-Forwarded-For” to comply with the standard instead of “ISPx-HEADER-CLIENTSRCIP”. But in case some other proxy has already set the “X-Forwarded-For” header before; then the ACE would add another header with the same name instead of inserting the IP in the existing header (this is the expected behavior for the “header insert” command). Some servers will then concatenate the content of identical headers to form a chain of Source IPs (eg: Apache), some won’t.</P><P>&nbsp;</P><H2>Insert Source IP to an existing XFF list</H2><P>To add the source IP to an already existing list of XFF IP addresses instead, the command “header rewrite” action should be used on the ACE:</P><P>&nbsp;</P><P>header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"</P><P>&nbsp;</P><P>But because this “header rewrite” action would only work if the header already exists, the SLB policy would first need to have a class to check whether the header is present or not before it decides to do either an insert or a rewrite. The configuration would become:</P><P>&nbsp;</P><P>class-map type http loadbalance match-all EXISTING-XFF-HEADER-CLASSMAP</P><P>&nbsp; 5 match http header X-Forwarded-For header-value ".*"</P><P>&nbsp;</P><P>action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header insert request X-Forwarded-For header-value %is</P><P>&nbsp;</P><P>action-list type modify http HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"</P><P>&nbsp;</P><P>policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICY</P><P>&nbsp; class EXISTING-XFF-HEADER-CLASSMAP</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp; class class-default</P><P>&nbsp;&nbsp;&nbsp; sticky-serverfarm SRC-IP-STICKY-SRVFARM-01</P><P>&nbsp;&nbsp;&nbsp; action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST</P><P>&nbsp;</P><H2>Verify</H2><P>One should test for a header insertion followed by a header rewrite to validate both behaviors as working. This could be done with a scenario where you have multi-tiered load-balancing where the first tier does an insert because no XFF header is present, and a second tier does a rewrite after detecting the header is present.</P><P>&nbsp;</P><P>You could use a packet dump on the rservers to validate the header insertion / rewrite.</P><P>&nbsp;</P><H2>Related Information</H2><P><A href="https://community.cisco.com/document/88456/health-monitoring-best-practices-cisco-ace" target="_blank">Health Monitoring Best Practices for Cisco ACE</A></P><P><A href="https://community.cisco.com/document/91051/management-features-and-capabilities-ace-appliance" target="_blank">Management Features and Capabilities on ACE appliance</A></P><P><A href="https://supportforums.cisco.com/document/81676/insert-www-url-client-request-using-ace" target="_blank">Insert WWW in the URL of client request using ACE</A></P><P><A href="https://supportforums.cisco.com/document/111856/load-balance-multiple-networks-ace-sharing-common-vlan" target="_blank">Load Balance Multiple Networks on ACE Sharing a Common VLAN</A></P> Tue, 29 Aug 2017 11:38:54 GMT https://community.cisco.com/t5/data-center-and-cloud-knowledge-base/insert-source-ip-to-an-already-loadbalanced-http-traffic-or-if/ta-p/3127041 Sandeep Singh 2017-08-29T11:38:54Z