« Apache Combined and CombinedIO Logs | Main | Tomcat 6.0.18 is out »


The X-Forwarded-For Header

Most mainstream proxy servers support what is known as the X-Forwarded-For header, which is a custom header that gets inserted into the HTTP request by the proxy so that the Client IP Address can be read by the target web/app server. The Wikipedia article describes it much better than I could--this article focuses on how to set things up on your BigIP or your apache server so that this useful IP address can get passed along to your upstream server.

For all intents and purpsoses, the BigIP is a reverse proxy--a high end, load-balancing, application delivery proxy, but nevertheless, it is a proxy. By default, requests sent to it are natted to a load-balanced node. By default, the web server does not see the IP address of the end-user--it sees the IP address of the bigip. This makes setting up things like IP Address Restrictions or Geo-Location services difficult because all your users will look like they are coming from the same place inside your network.
mod_proxy load-balancing requests to an upstream application server puts the apache httpd server in reverse proxy mode for that particular web app as well--so for those web applications that need to see the client ip address for reasons similar to the above, then they are out of luck as well.

Enabling the X-Forwarded-For Header in the BigIP

The X-Forwarded-For header is enabled and disabled from within the HTTP profile in the 9.x version of the BigIP software. If you are using the base http profile in your VIPs (or if you are using an HTTP profile that uses the base http profile as a "parent profile") and you have not modified the base http profile, then this option is disabled by default. Enabling is simply a matter of selecting "Enabled" from the dropdown labeled "XForwarded-for" and you are all set!

Ok....you aren't really all set. All this does is configure VIPs that utilize this particular profile to insert the X-Forwarded-For header in requests that will be routed to a particular web server. If the web server doesn't know what to do with this header, it will cheerfully ignore it. F5 also developed an isapi plug-in for IIS that will write the IP address of the client into the web server's log in place of the BigIPs address. For apache web servers, you will need to modify the LogFormat directive so that you drop the %h (client ip) field and replace it with the %{X-Forwarded-For}i field.

Enabling the X-Forwarded-For Header in mod_proxy

Now that you are passing the client IP address to your web server, what if you want to pass the client IP address along to your application servers as well? Well, if you're using mod_proxy_http (or mod_proxy_balancer with workers that are using mod_proxy_http), then you don't really need to do anything. The documentation on the apache site implies that mod_proxy automatically forwards three headers (X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server).


TrackBack URL for this entry:

Listed below are links to weblogs that reference The X-Forwarded-For Header: