Application Delivery (ADX)

Client IP insertion with HTTP or HTTPS (using SSL offload/acceleration)

by on ‎05-08-2009 03:38 AM (186 Views)

Summary


We want to insert a new header in the request forwarded to the real server, containing the client ip address.

Specifics

This feature is generally used with source-nat when the ServerIron acts like a  proxy. By default, the new header is called "client-ip". However, the name can  be changed to any string.

The client-ip can be applied on any forward rule, or default rule in a CSW policy.

In this example, we will forward all request ending in "html" to the real server with the name rs10,  and the rest to the real server rs20. In both cases, we will insert client-ip in the  request.

The HTTP requests will look like this coming from the client (original request):

GET / HTTP/1.1\r\n

Host: 10.45.4.245\r\n

User-Agent: ELinks/0.9.2 (textmode; Linux; 90x30)\r\n

Accept: */*\r\n

Accept-Encoding: bzip2, gzip\r\n

Accept-Language: en\r\n

Connection: Keep-Alive\r\n

\r\n

The modified request is going to look like the following one (look at the NEW header Client-IP):

GET / HTTP/1.1\r\n

Client-IP: 10.45.4.19 \r\n

Host: 10.45.4.245\r\n

User-Agent: ELinks/0.9.2 (textmode; Linux; 90x30)\r\n

Accept: */*\r\n          Accept-Encoding: bzip2, gzip\r\n

Accept-Language: en\r\n

Connection: Keep-Alive\r\n

\r\n

Topology Diagram

none

Sample Code/Configuration

A config with plain-text HTTP traffic would look like:


server source-nat-ip 10.45.4.254 255.255.255.0 0.0.0.0 port-range 2
!
csw-rule "r1" url suffix html
!
csw-policy "p1"
  match r1 forward 1
  match r1 rewrite request-insert client-ip
  default forward 2
  default rewrite request-insert client-ip
!
server real rs10 10.45.4.10
  source-nat
  port http
  port http url "HEAD /"
  port http group-id 1 1
!
server real rs20 10.45.4.20
  source-nat
  port http
  port http url "HEAD /"
  port http group-id 2 2
!
server virtual vip1 10.45.4.245
  port http
  port http csw-policy "p1"
  port http csw
  bind http rs10 http rs20 http
!

A config with HTTPS traffic is looking slightly different. HTTPS traffic
is encrypred and it is necessary to decrypt the traffic first of all. It
is not possible to insert something into encrypted traffic. Decrypted the
traffic implies to do SSL offload/acceleration. You do need to use SSL
offload at the ServerIron to do this. Please ensure you are using ADX OS
>= 12.1 to do so. A configuration would look like:

ssl profile verisign128
    keypair-file verisign128key
    certificate-file verisign128cert
    cipher-suite all-cipher-suites
    enable-certificate-chaining
    session-cache off
!
server source-nat-ip 10.45.4.254 255.255.255.0 0.0.0.0 port-range 2
server source-nat-ip 10.45.4.253 255.255.255.0 0.0.0.0 port-range 2 for-ssl
!
csw-rule "r1" url suffix html
!
csw-policy "p1"
  match r1 forward 1
  match r1 rewrite request-insert client-ip
  default forward 2
  default rewrite request-insert client-ip
!
server real rs10 10.45.4.10
  source-nat
  port http
  port http url "HEAD /"
  port http group-id 1 1
!
server real rs20 10.45.4.20
  source-nat
  port http
  port http url "HEAD /"
  port http group-id 2 2
!
server virtual vip1 10.45.4.245
  port ssl
  no port ssl sticky
  port ssl ssl-terminate verisign128
  port ssl csw-policy "p1"
  port ssl csw
  bind http rs10 http rs20 http
!



ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

Contributors: yliaqatu