01-13-2011 01:52 AM
Any idea or configuration example on how to reconstruct the original client IP address from X-forwarded-for in HTTP request?
01-13-2011 09:31 AM
Hi buddy,
What you mean by "reconstruct", there are two possible scenarios with X-Forwarded-For,
A: Your client is behind a proxy, proxy is using the X-Forwarded-For feature, you need ACE to pass the client original IP address.
B- Client going to the ACE and use X-Forwarded-For on the ACE.
Let us know your case and will come up with a config sample.
Tnx
__ __
Pablo
01-13-2011 11:58 AM
Hi Pablo
My customer is going to use AKAMAI services which mean all the traffic will be received with AKAMAI's IP address as a source and original clients IP inserted as X-Forwarded-for field. This creates a small problem. Neither Firewall nor IPS can inspect and make decisions based on the X-Forwarded-for field. That’s why I’d like to recreate the original source IP address for incoming traffic then have it inspected by the Firewall and IPS.
Thanks for your help
01-13-2011 01:00 PM
Wow this was one of my first experiments when I got into the ACE world I thought I'd never see it again
To get this working you need to configure an action list to modify the original X-Forwarded-For inserted by Akamai,
Here is how the action list should look like;
ACE/Admin(config)#action-list type modify http X-FF
ACE/Admin(config-actlist-modify)#header rewrite request x-forwarded-for header-value (.*) replace %1
This action list tells to the ACE to match any string on the XFF header coming from Akamai using (.*) and replace it with %1, (%1) means
copy/paste the same string that was matched with .* . In other words the ACE makes a exact copy of the XFF header that Akamai is sending.
This action list needs to be applied under the load balancing policy as follows:
ACE/Admin(config)#policy-map type loadbalance first-match LB
ACE-4710E/Admin(config-pmap-lb)#class class-default
ACE-4710E/Admin(config-pmap-lb)# serverfarm LB
ACE-4710E/Admin(config-pmap-lb)# action X-FF
Also if you need the Akamai IP address to be included into the XFF header as well right next to the original client IP address you
configure the action list with this line:
ACE/Admin(config-actlist-modify)#header rewrite request x-forwarded-for header-value "(.*)" replace "%1, %is"
HTH
__ __
Pablo
05-07-2012 10:56 AM
Hi Pablo....
amazing post.
btw , i am using passive cookie based stickiness , recently we subscribed akamai service for our website , problem what i am facing is constantly getting session expiry error.
somewhere i read that akamai nullify the cookies inserted in the header.
somehow my configuratoin for the website is not working fine . till date it was working perfectly fine and after changing to akamai it started throwing issues.
i am not using cookie insert , using the application to insert a cookie value.
any suggestion to tune this to make it work with akamai service..
thanks,
Parvees
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide