Chat now with support
Chat with Support

Foglight Experience Monitor 5.8.1 - Installation and Administration Guide

Installing and configuring Multi-appliance clusters Configuring the appliance Specifying monitored web traffic Transforming monitored URLs Managing applications Foglight components and the appliance Using the console program Troubleshooting the appliance Appendix: Third party software Appendix: Dell PowerEdge system appliance

Using X-Forwarded-For

The X-Forwarded-For (XFF) HTTP header is a method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy.

Without the use of XFF or another similar technique, any connection through the proxy reveals only the originating IP address of the proxy server. This makes the detection and prevention of abusive accesses significantly harder than if the originating IP address was available.

You can use a product such as Big-IP to translate the source IP address of the incoming packet to the original client IP address or what is referred to as a Secure Network Address Translation (SNAT).

A SNAT provides a secure mechanism for translating internal, non-routable addresses into routable addresses. When the BIG-IP system translates the source IP address of the incoming packet to the SNAT address, the web server sees the request as originating from the SNAT address, not the original client IP address.

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, you can use one of the following methods:

For more information, see these topics:

Enabling the insert X-Forwarded-For in the HTTP profile

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, perform the following procedure:

2
Click Local Traffic.
3
Click Profiles.
4
Click HTTP from the Services list.
5
Click Create.
7
Select the Insert XForwarded For check box.
8
Select Enabled from the list.
9
Click Finished.

iRule

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header using an iRule, perform the following procedure:

2
Click Local Traffic.
3
Click iRules.
4
Click the Create.
7
Click the Finished.

Configuring the web server to extract the IP address from the HTTP header

Once you have configured the BIG-IP system to insert the original client IP address in an HTTP header using an X-Forwarded-For HTTP header, you must also configure the web server to extract the IP address from the HTTP header, and log the IP address to the web server log file.

You can configure an Apache™ web server to extract the IP address from the X-Forwarded-For HTTP header and log the IP address to the web server log file by adding the appropriate logging directives to the Apache httpd.conf file. For example:

For more information about Apache logging, see the Apache documentation.

You can configure the Microsoft® IIS web server to extract the IP address from the X-Forwarded-For HTTP header and log the IP address to the web server log file. To do so, you will need to download and install the IIS X-Forwarded-For ISAPI Log Filter from http://devcentral.f5.com.

The IIS ISAPI filter will look for the X-Forwarded-For HTTP header in the HTTP request. If the IIS ISAPI filter finds an X-Forwarded-For HTTP header in the HTTP request, it will replace the client IP address in the W3SVC log traces with the value of the X-Forwarded-For HTTP header.

Related Documents