cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Insert Source IP to an already loadbalanced HTTP Traffic or if the XFF already exists

4012
Views
0
Helpful
0
Comments

 

 

Introduction

In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors.

 

HTTP header insertion is used to identify the original source IP address of SNATed packet. The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

 

Insert or Modify HTTP Header

The ACE is able to insert or modify HTTP header using an Layer 7 policy. This is mentioned in detail in the configuration guide.

 

Here is a sample config which will insert a header with the src IP, as per SLB configuration guide:

 

action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST

  header insert request ISPx-HEADER-CLIENTSRCIP header-value %is

 

policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICYMAP

  class class-default

    sticky-serverfarm SRC-IP-STICKY-SRVFARM-01

    action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST

 

In this example, the src IP gets inserted into a header called ISPx-HEADER-CLIENTSRCIP. Alternatively, one can name the header “X-Forwarded-For” to comply with the standard instead of “ISPx-HEADER-CLIENTSRCIP”. But in case some other proxy has already set the “X-Forwarded-For” header before; then the ACE would add another header with the same name instead of inserting the IP in the existing header (this is the expected behavior for the “header insert” command). Some servers will then concatenate the content of identical headers to form a chain of Source IPs (eg: Apache), some won’t.

 

Insert Source IP to an existing XFF list

To add the source IP to an already existing list of XFF IP addresses instead, the command “header rewrite” action should be used on the ACE:

 

header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"

 

But because this “header rewrite” action would only work if the header already exists, the SLB policy would first need to have a class to check whether the header is present or not before it decides to do either an insert or a rewrite. The configuration would become:

 

class-map type http loadbalance match-all EXISTING-XFF-HEADER-CLASSMAP

  5 match http header X-Forwarded-For header-value ".*"

 

action-list type modify http HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST

  header insert request X-Forwarded-For header-value %is

 

action-list type modify http HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST

  header rewrite request X-Forwarded-For header-value "(.*)" replace "%1, %is"

 

policy-map type loadbalance http first-match PUBLICBASIC-001-SLB01-POLICY

  class EXISTING-XFF-HEADER-CLASSMAP

    sticky-serverfarm SRC-IP-STICKY-SRVFARM-01

    action HTTP-REWRITE-XFF-HEADER-SRCIP-ACTIONLIST

  class class-default

    sticky-serverfarm SRC-IP-STICKY-SRVFARM-01

    action HTTP-INSERT-XFF-HEADER-SRCIP-ACTIONLIST

 

Verify

One should test for a header insertion followed by a header rewrite to validate both behaviors as working. This could be done with a scenario where you have multi-tiered load-balancing where the first tier does an insert because no XFF header is present, and a second tier does a rewrite after detecting the header is present.

 

You could use a packet dump on the rservers to validate the header insertion / rewrite.

 

Related Information

Health Monitoring Best Practices for Cisco ACE

Management Features and Capabilities on ACE appliance

Insert WWW in the URL of client request using ACE

Load Balance Multiple Networks on ACE Sharing a Common VLAN

CreatePlease to create content