A SNAT is an object that maps an original client IP address to a translation address defined on the BIG-IP device. When the BIG-IP system receives a request from a client IP address, and if the client IP address in the request is defined in a SNAT, the BIG-IP system translates the source IP address of the incoming packet to the SNAT address.

When the BIG-IP system translates the source IP address of the incoming packet to the SNAT address, the web server sees the request as originating from the SNAT address, not the original client IP address. If the web servers are required to log the original client IP address for requests, the SNAT address translation behavior can become problematic.

It may be necessary for the BIG-IP system to insert the original client IP address in an HTTP header and configure the web server receiving the request to log the client IP address instead of the SNAT address.

Note: You can insert HTTP headers in HTTPS traffic only if the client connects to a BIG-IP virtual server configured with a Client SSL profile. When the BIG-IP terminates the SSL connection, it has access to the unencrypted HTTP data. For information about configuring an SSL virtual server, refer to the BIG-IP Configuration Guide for your product and version.

Note: HTTP requests processed by the BIG-IP WebAccelerator module will also experience a source address translation. For information about using the X-Remote-Addr HTTP header to preserve the original client IP address for traffic being translated by a BIG-IP WebAccelerator module, refer to SOL7441: Using the X-Remote-Addr HTTP header to preserve the original client IP address for traffic being translated by a WebAccelerator.

Note: In versions prior to 10.1.0, the BIG-IP ASM system does not support the use of the X-Forwarded-For header for logging purposes. For more information, refer to SOL8010: The BIG-IP ASM does not support the use of the X-Forwarded-For header for logging purposes. In version 10.1.0, the new Trusted X-Forwarded-For feature was introduced to the BIG-IP ASM system. For further details about the Trusted X-Forwarded-For header, refer to SOL12264: Overview of the Trusted X-Forwarded-For header.

Note: Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP system appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to Section 4.2 of RFC2616. F5 Product Development is tracking a request for enhancement as ID 247020 (formerly CR107639) for the BIG-IP system to instead append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For header. F5 DevCentral iRules codeshare contains an example of such an iRule: X Forwarded For Single Header Insert. A DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, you can use one of the following methods:

• Enable Insert X-Forwarded For in the HTTP profile
• iRule

Enabling the Insert X-Forwarded For option in the HTTP profile

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, perform the following procedure:

1. Log in to the BIG-IP Configuration utility.
2. Click Local Traffic.
3. Click Profiles.
4. Click HTTP from the Services drop-down menu.
5. Click Create.
6. Type a name for the HTTP profile.
7. Select the check box next to Insert X-Forwarded For.

   Note: Older versions of BIG-IP software may display the option as Insert XForwarded For instead of Insert X-Forwarded-For.

8. Select Enabled from the Insert X-Forwarded For drop-down menu.
9. Click Update.

   Note: On older versions of BIG-IP software, you may need to click the Finished button, instead of Update

   You must now associate the new HTTP profile with the virtual server.

iRule

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header using an iRule, perform the following procedure:

1. Log in to the BIG-IP Configuration utility.
2. Click Local Traffic.
3. Click iRules.
4. Click Create.
5. Type a name in the Name field.
6. Copy and paste the following iRule in the Definition field:

   when HTTP_REQUEST {
   HTTP::header insert X-Forwarded-For [IP::remote_addr]
   }

7. Click the Finished button. You must now associate the new iRule with the virtual server.

Configuring the web server to extract the IP address from the HTTP header

Once you have configured the BIG-IP system to insert the original client IP address in an HTTP header using an X-Forwarded-For HTTP header, you must also configure the web server to extract the IP address from the HTTP header, and log the IP address to the web server log file.

Important: For specific details about using HTTP header information in log files, refer to the documentation provided by the vendor for your specific web server.

Apache web server

You can configure an Apache web server to extract the IP address from the X-Forwarded-For HTTP header and log that IP address to the web server log file by adding the appropriate logging directives to the main Apache configuration file (typically named httpd.conf) or to the relevant virtual host configuration file(s).

For example:

LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" X-Forwarded-For
CustomLog /var/log/apache/www.example.com-xforwarded.log X-Forwarded-For

Refer to the Apache logging documentation for more details.

Microsoft IIS web server

You can configure the Microsoft IIS web server to extract the IP address from the X-Forwarded-For HTTP header and log the IP address to the web server log file. To do so, you will need to download and install the 32-bit and/or 64-bit release versions of the IIS X-Forwarded-For ISAPI Log Filter from http://devcentral.f5.com.

Note: A DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

The IIS ISAPI filter, which can be installed under IIS 6.x or IIS 7.x, will look for the X-Forwarded-For HTTP header in the HTTP request. If the IIS ISAPI filter finds an X-Forwarded-For HTTP header in the HTTP request, it will replace the client IP address in the W3SVC log traces with the value of the X-Forwarded-For HTTP header.

To download and install the IIS X-Forward-For ISAPI Filter, perform the following procedure:

1. Log on to http://devcentral.f5.com.

   Note: A DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

2. In the upper right corner, search for IIS X-Forward-For ISAPI Filter.
3. In the DevCentral Results section, click IIS X-Forward-For ISAPI Filter.
4. In the article, click CodeShare to download the .zip file.
5. To install the filter, add it to your Microsoft IIS website using the Microsoft IIS manager utility. 

Beginning with IIS 7, Microsoft also provides an optional Advanced Logging feature for IIS that allows you to define custom log definitions that can capture additional information such as the client IP address included in the X-Forwarded-For header, without installing the ISAPI log filter. To configure the IIS web server to log the X-Forwarded-For header, you must have already installed IIS Advanced Logging.

For details on configuring Microsoft IIS, refer to the Microsoft IIS product manual, or Section 1-11 and 1-12 of the Microsoft Internet Information Services 7.0 and 7.5 (BIG-IP v10) Deployment Guide.

Note: For instructions on installing IIS Advanced Logging, refer to the following document:  http://www.iis.net/community/files/media/advancedlogging_readme.htm

These links will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.