Spice Up Your Knowledge!!!: Configuring ACE to insert Client IP in HTTP Header

Today we are going to discuss about x-forwarded-for filed in HTTP header. When the load 
balancer is configured for source Network Address Translation (NAT) the client IP address 
is not passed to the web server, the webserver will see only the load balancer / NAT pool IP 
address instead of actual client IP address & this is a big issue in e-commerce application

The insertion of the Client IP address into the HTTP header allows the servers to see the 
IP address that made the connection.

ACE SLB Context
switch/SLB#show run Generating configuration.... probe tcp SERVERS interval 5 passdetect interval 10 parameter-map type http HTTP_PARAMETER_MAP persistence-rebalance !- Parameter-map used to configure advanced http behavior. !- Persistence-rebalance inspects every get and matches to specific content. !- Without this command only the first get in a tcp session will be inspected. rserver host S1 ip address 192.168.0.200 inservice rserver host S2 ip address 192.168.0.201 inservice rserver host S3 ip address 192.168.0.202 inservice rserver host S4 ip address 192.168.0.203 inservice serverfarm host SF-1 probe SERVERS rserver S1 inservice rserver S2 inservice rserver S3 inservice rserver S4 inservice class-map match-all L4VIPCLASS 2 match virtual-address 11.11.11.11 tcp eq www class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type loadbalance http first-match WEB_L7_POLICY class class-default serverfarm SF-1 insert-http x-forward header-value "%is" !- Policy-map will insert the IP address of the client policy-map multi-match VIPs class L4VIPCLASS loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active loadbalance vip advertise active nat dynamic 1 vlan 192 appl-parameter http advanced-options HTTP_PARAMETER_MAP interface vlan 11 ip address 11.11.11.2 255.255.255.0 alias 11.11.11.1 255.255.255.0 peer ip address 11.11.11.3 255.255.255.0 service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input VIPs no shutdown !- Client side VLAN. interface vlan 192 ip address 192.168.0.130 255.255.255.0 alias 192.168.0.128 255.255.255.0 peer ip address 192.168.0.131 255.255.255.0 nat-pool 1 192.168.0.254 192.168.0.254 netmask 255.255.255.0 pat no shutdown !- Server side VLAN. ip route 0.0.0.0 0.0.0.0 11.11.11.111 switch/SLB#

ACE SLB Context

switch/SLB#show run
Generating configuration....

probe tcp SERVERS
  interval 5
  passdetect interval 10

parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance

!- Parameter-map used to configure advanced http behavior.
!- Persistence-rebalance inspects every get and matches to specific content.
!- Without this command only the first get in a tcp session will be inspected.

rserver host S1
  ip address 192.168.0.200
  inservice
rserver host S2
  ip address 192.168.0.201
  inservice
rserver host S3
  ip address 192.168.0.202
  inservice
rserver host S4
  ip address 192.168.0.203
  inservice

serverfarm host SF-1
  probe SERVERS
  rserver S1
    inservice
  rserver S2
    inservice
  rserver S3
    inservice
  rserver S4
    inservice

class-map match-all L4VIPCLASS
  2 match virtual-address 11.11.11.11 tcp eq www

class-map type management match-any REMOTE_ACCESS
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol http any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm SF-1
    insert-http x-forward header-value "%is"

!- Policy-map will insert the IP address of the client 

policy-map multi-match VIPs
  class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 192
    appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 11
  ip address 11.11.11.2 255.255.255.0
  alias 11.11.11.1 255.255.255.0
  peer ip address 11.11.11.3 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input VIPs
  no shutdown

!- Client side VLAN.

interface vlan 192
  ip address 192.168.0.130 255.255.255.0
  alias 192.168.0.128 255.255.255.0
  peer ip address 192.168.0.131 255.255.255.0
  nat-pool 1 192.168.0.254 192.168.0.254 netmask 255.255.255.0 pat
  no shutdown

!- Server side VLAN.

ip route 0.0.0.0 0.0.0.0 11.11.11.111

switch/SLB#

ACE Admin Context
switch/Admin#show running-config Generating configuration.... boot system image:c6ace-t1k9-mz.A2_1_0a.bin resource-class RC1 limit-resource all minimum 50.00 maximum equal-to-min class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit interface vlan 11 ip address 11.11.11.5 255.255.255.0 alias 11.11.11.4 255.255.255.0 peer ip address 11.11.11.6 255.255.255.0 service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown interface vlan 192 ip address 192.168.0.4 255.255.255.0 alias 192.168.0.10 255.255.255.0 peer ip address 192.168.0.5 255.255.255.0 no shutdown ft interface vlan 550 ip address 192.168.1.4 255.255.255.0 peer ip address 192.168.1.5 255.255.255.0 no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 550 ft group 1 peer 1 peer priority 90 associate-context Admin inservice ip route 0.0.0.0 0.0.0.0 11.11.11.111 context SLB allocate-interface vlan 11 allocate-interface vlan 192 member RC1 ft group 2 peer 1 no preempt associate-context SLB inservice username admin password 5 $TJRNxsLPi5BZ97v0/ role Admin domain default-domain switch/Admin#

ACE Admin Context

switch/Admin#show running-config
Generating configuration....

boot system image:c6ace-t1k9-mz.A2_1_0a.bin

resource-class RC1
  limit-resource all minimum 50.00 maximum equal-to-min

class-map type management match-any REMOTE_ACCESS
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol http any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

interface vlan 11
  ip address 11.11.11.5 255.255.255.0
  alias 11.11.11.4 255.255.255.0
  peer ip address 11.11.11.6 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

interface vlan 192
  ip address 192.168.0.4 255.255.255.0
  alias 192.168.0.10 255.255.255.0
  peer ip address 192.168.0.5 255.255.255.0
  no shutdown

ft interface vlan 550
  ip address 192.168.1.4 255.255.255.0
  peer ip address 192.168.1.5 255.255.255.0
  no shutdown

ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 550

ft group 1
  peer 1
  peer priority 90
  associate-context Admin
  inservice

ip route 0.0.0.0 0.0.0.0 11.11.11.111

context SLB
  allocate-interface vlan 11
  allocate-interface vlan 192
  member RC1

  ft group 2
  peer 1
  no preempt
  associate-context SLB
  inservice

username admin password 5 $TJRNxsLPi5BZ97v0/ role Admin domain default-domain 


switch/Admin#

"show stats http" command should show the number of headers inserted 

Sample packet capture should look like this.

GET http://www.spiceup.net.in HTTP/1.1
x-forwarded-for: 22.22.22.22
Accept: image/gif, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.spiceup.net.in/
Accept-Language: en-SG
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Host: www.spiceup.net.in
Connection: Keep-Alive

Leave your comment below

Spice Up Your Knowledge!!!

Pages

Tuesday, September 24, 2013

Configuring ACE to insert Client IP in HTTP Header

No comments:

Post a Comment

Labels

Web links