08-21-2009 01:54 AM
I deployed an hot-standby setup with SSL offload and some web servers behind - everything works great except the fact that I can not see the client IP addresses in the web server logs. All I am seeing are the load balancer IP addresses. Any ideas?
08-21-2009 02:04 AM
This sounds like source-nat is enabled globally or locally for the real servers you are talking about. Have a look at the configuration and check if there is anything with the string "source-nat" in it. It might be possible to get rid of this problem by disabling source-nat BUT it is as well possible that source-nat is required due to your network topology.
Looking at the clients, the ServerIron and the real servers:
Is there any way around the ServerIron in case the real servers want to talk with the clients? Is it a one-armed setup or not? What is the default gateway of the real servers?
08-21-2009 03:09 AM
There is a way around the ServerIrons. It is a one-armed setup looking like:
ROUTER -- ServerIrons
The real servers default gateway is the router which is basically able to forward traffic directly to the client. I guess that is a way around the ServerIron.
08-21-2009 03:17 AM
Source-nat is needed in this scenario. The real servers default gateway is the router and there is no requirement for the router to forward the reply traffic to the ServerIron because the router itself is able to route it back to the client. The problem with this is that the ServerIron is not able to replace the real server IP with the virtual server IP if it does not get the reply traffic. This would result in communication problems.
Source-NAT is going to hide the real client IPs behind a ServerIron owned IP address. Return traffic needs to go to the ServerIron doing this because it is looking like the ServerIron itself is the client from the real servers point of view. I am 100% sure you do have source-nat enabled and it is not going to work if you disable it - you would need to redesign the setup to get this up and running without source-NAT.
One thing to think about is to insert an additional header into the request - the ServerIron is able to put the original client IP address into an HTTP header. The real servers are than able to get the client IP address out of this header: