Forum Discussion

Mark_Curole's avatar
Mark_Curole
Icon for Nimbostratus rankNimbostratus
Jan 30, 2009

Web Accelerator and X-Forwarded-For

I have a new WA deployment. I am using a redundant pair of 6400 with the WA feature. I am running 9.4.5 HF2.

This is my typical LTM configuration that I am using for a give site

monitor site.com_monitor { 
 defaults from http 
 send "GET /bigip/bigip.html HTTP/1.1\nHost: site.com\nConnection: Close\n\n" 
 } 
  
 pool site.com_pool { 
 lb method predictive 
 action on svcdown reselect 
 monitor all site.com_monitor 
 members 
 10.1.1.1:http 
 10.1.1.2:http 
 } 
  
 profile httpclass site.com_httpclass { 
    defaults from httpclass 
    wa enable 
 } 
  
  
 virtual site.com { 
 pool site.com_pool 
 destination 10.2.1.1:http 
 ip protocol tcp 
 httpclass site.com_httpclass 
 profiles 
       oneconnect 
       tcp-lan-optimized 
          clientside 
       tcp-wan-optimized 
          serverside 
       http-acceleration 
 } 
 

and I use a modified version of the Level 2 policy for the site. What I am wanting to be sure is that my web access logs on my web servers have the correct client IP address for request, so I would like to insert the X-Forwarded-For header using the HTTP profile. I would prefer not to modify the http-acceleration profile but to create a new one that inherits from it. When I tried that, I noticed that my hits for Hot Cache went to 0. What would be the recommended way to get X-Forwarded-For header sent to the origin servers - modify http-acceleration profile, iRule, or something else?

Thanks,

Mark
  • Well, I found my answer on the wiki - http://devcentral.f5.com/wiki/default.aspx/WebAccelerator/ISAPI_Filter.html. But there is one problem, the entry states that the ISAPI filter is attached in a zip, but there is no attachment - I am running IIS. Anyone know where the filter is?
  • Don_MacVittie_1's avatar
    Don_MacVittie_1
    Historic F5 Account
    That wiki entry was created two years ago by Colin, I'll ping him about it, but two years seems too long. I know another thread said that it is strongly recommended that you use the http-acceleration profile and not something that inherits from it.

     

    Have you seen this note on Ask F5 - https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

     

     

    Regards,

     

    Don.
  • Thanks Don,

     

     

    I had read that article, but it was a while back. I already have the X-Forwarded-For ISAPI filter running on my servers. I guess, I can just use the iRule approach. Let me know if you find anything out about an ISAPI filter for X-Remote-Addr.

     

     

    Mark

     

  • When using WebAccelerator there is no need to modify the http profile to add X-Forwarded-For WebAccelerator automatically inserts the origin client IP address in an X-Remote-Addr header. I have a zip file of an ISAPI filter I will work with Don on getting it uploaded.