Applies To:

Show Versions Show Versions

sol4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT
How-ToHow-To

Original Publication Date: 05/16/2007
Updated Date: 02/10/2014

A Secure Network Address Translation (SNAT) is an object that maps an original client IP address to a translation address defined on the BIG-IP device. When the BIG-IP system receives a request from a client IP address, and if the client IP address in the request is defined in a SNAT, the BIG-IP system translates the source IP address of the incoming packet to the SNAT address.

When the BIG-IP system translates the source IP address of the incoming packet to the SNAT address, the web server sees the request as originating from the SNAT address, not the original client IP address. If the web servers are required to log the original client IP address for requests, the SNAT address translation behavior can become problematic.

It may be necessary for the BIG-IP system to insert the original client IP address in an HTTP header and configure the web server that is receiving the request to log the client IP address instead of the SNAT address.

Note: You can insert HTTP headers in HTTPS traffic only if the client connects to a BIG-IP virtual server configured with a Client SSL profile. When the BIG-IP system terminates the Secure Socket Layer (SSL) connection, it has access to the unencrypted HTTP data. For information about configuring an SSL virtual server, refer to the BIG-IP Configuration Guide for your product and version.

Note: HTTP requests processed by the BIG-IP WebAccelerator module also experience a source address translation. For information about using the X-Remote-Addr HTTP header to preserve the original client IP address for traffic being translated by a BIG-IP WebAccelerator module, refer to SOL7441: Using the 'X-Remote-Addr' HTTP header to preserve the original client IP address for traffic being translated by BIG-IP WebAccelerator (9.x - 10.x).

Note: In versions prior to 10.1.0, the BIG-IP ASM system does not support the use of the X-Forwarded-For header for logging purposes. For more information, refer to SOL8010: The BIG-IP ASM does not support the use of the X-Forwarded-For header for logging purposes. In version 10.1.0, the new Trusted X-Forwarded-For feature was introduced to the BIG-IP ASM system. For further details about the Trusted X-Forwarded-For header, refer to SOL12264: Overview of the Trusted X-Forwarded-For header.

Note: Many servers and applications expect only a single X-Forwarded-For header, per request. However, the BIG-IP system appends a new X-Forwarded-For header to the existing set of HTTP headers, even if there is an existing X-Forwarded-For header in the request. Both approaches are valid according to the Internet Engineering Task Force (RFC2616, Section 4.2). F5 Product Development is tracking a request for enhancement as ID 247020 (formerly CR107639) for the BIG-IP system to append the value to the last existing X-Forwarded-For header. For applications expecting a single X-Forwarded-For header, it is possible to use an iRule instead of the HTTP profile option to append the client IP value to the end of any existing X-Forwarded-For header. F5 DevCentral iRules codeshare contains an example of such an iRule: X Forwarded For Single Header Insert. A DevCentral login is required to access this content.

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, use one of the following methods:

Enabling the Insert X-Forwarded-For option in the HTTP profile

To configure the BIG-IP system to insert the original client IP address in an X-Forwarded-For HTTP header, perform the following procedure:

  1. Log in to the BIG-IP Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the Services menu, click HTTP.
  4. Click Create.
  5. Type a name for the HTTP profile.
  6. Select the Insert X-Forwarded-For check box.

    Note: Older versions of BIG-IP software may display the option as Insert XForwarded For instead of Insert X-Forwarded-For.

  7. From the Insert X-Forwarded-For menu, select Enabled.
  8. Click Update.

    Note: On older versions of BIG-IP software, you may need to click Finished, instead of Update.

    You must now associate the new HTTP profile with the virtual server.

Using an iRule to insert the original client IP address in an X-Forwarded-For HTTP header

  1. Log in to the BIG-IP Configuration utility.
  2. Navigate to Local Traffic > iRules > Create.
  3. In the Name box, type a name.
  4. In the Definition box, copy and paste the following iRule:

    when HTTP_REQUEST {
    HTTP::header insert X-Forwarded-For [IP::remote_addr]
    }

  5. Click Finished.

    You must now associate the new iRule with the virtual server.

Configuring the web server to extract the IP address from the HTTP header

After you have configured the BIG-IP system to insert the original client IP address in an HTTP header using an X-Forwarded-For HTTP header, you must also configure the web server to extract the IP address from the HTTP header, and then log the IP address to the web server log file.

Important: For specific details about using HTTP header information in log files, refer to the documentation provided by the vendor for your specific web server.

Apache web server

You can configure an Apache web server to extract the IP address from the X-Forwarded-For HTTP header and log that IP address to the web server log file by adding the appropriate logging directives to the main Apache configuration file (typically named httpd.conf) or to the relevant virtual host configuration files.

For example:

LogFormat "%v %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" X-Forwarded-For
CustomLog /var/log/apache/www.example.com-xforwarded.log X-Forwarded-For

For more information, refer to the Apache logging documentation.

Microsoft IIS web server

You can configure the Microsoft IIS web server to extract the IP address from the X-Forwarded-For HTTP header and log the IP address to the web server log file. To do so, you must download and install the 32-bit and/or 64-bit release versions of the IIS X-Forwarded-For ISAPI Log Filter from http://devcentral.f5.com.

Note: A DevCentral login is required to access this content.

The IIS ISAPI filter, which can be installed under IIS 7.x or IIS 6.x, looks for the X-Forwarded-For HTTP header in the HTTP request. If the IIS ISAPI filter finds an X-Forwarded-For HTTP header in the HTTP request, it replaces the client IP address in the W3SVC log traces with the value of the X-Forwarded-For HTTP header.

To download and install the IIS X-Forward-For ISAPI filter, perform the following procedure:

  1. Log in to http://devcentral.f5.com.

    Note: A DevCentral login is required to access this content.

  2. In the upper-right corner, search for IIS X-Forward-For ISAPI Filter.
  3. In the DevCentral Results section, click IIS X-Forward-For ISAPI Filter.
  4. In the article, click CodeShare to download the .zip file.
  5. To install the filter, add it to your Microsoft IIS website by using the Microsoft IIS manager utility. 

Beginning with IIS 7.0, Microsoft also provides an optional Advanced Logging feature for IIS that allows you to define custom log definitions that can capture additional information, such as the client IP address included in the X-Forwarded-For header, without installing the ISAPI log filter. To configure the IIS web server to log the X-Forwarded-For header, you must have already installed IIS Advanced Logging.

For information about configuring Microsoft IIS, refer to the Microsoft IIS product manual, or Section 1-11 and 1-12 of the Deploying the BIG-IP System with Microsoft IIS 7.0 and 7.5.

Note: For instructions on installing IIS Advanced Logging, refer to Advanced Logging Readme.

These links take you to a resource outside of AskF5. The third party could remove the document without our knowledge.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)