How to preserve the original source client IP using X-Forwarded-For or aFlex?

Community Forum Forums Thunder and AX Series How to preserve the original source client IP using X-Forwarded-For or aFlex?

This topic contains 14 replies, has 2 voices, and was last updated by avatar diederik 5 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #14542
    avatar
    mlmarcelo
    Member

    Hi,

    I have done doing the aFlex or X-forwarded-for configurations for A10, but still the SNAT IP of ax1030 seen in the Bluecoat Proxy User IP list. Is configurations also needed on bluecoat to preserve the original source IP?

    Btw, here’s my configuration on my A10 SLB

    !Current configuration: 6155 bytes
    !Configuration last updated at 11:11:01 MYT Wed Jun 13 2018
    !Configuration last saved at 11:11:02 MYT Wed Jun 13 2018
    !version 2.7.1-P3, build 76 (Nov-06-2013,11:23)
    !
    ha id 1 set-id 1

    vcs enable
    vcs vMaster-id 1
    vcs config-info 10b2fca7f5fbf456 9390
    vcs chassis-id 1
    vcs floating-ip 20.20.20.3 /24
    vcs multicast-ip 224.0.0.210
    vcs device 1
    priority 200
    interfaces ethernet 6
    enable
    vcs device 2
    priority 150
    interfaces ethernet 6
    enable
    vcs local-device 1
    !
    hostname A10SLB-1 device 1
    hostname A10SLB-2 device 2
    clock timezone Asia/Kuala_Lumpur
    !
    ntp server 170.1.188.112
    !
    ntp server 170.1.188.117
    !
    system per-vlan unknown-ucast 5000
    enable-def-vlan-l2-forwarding
    vlan 1/111
    untagged ethernet 1 ethernet 3 to 4
    router-interface ve 111
    !
    vlan 1/112
    router-interface ve 112
    !
    vlan 1/884
    untagged ethernet 2
    router-interface ve 884
    !
    vlan 1/905
    router-interface ve 905
    !
    vlan 1/995
    router-interface ve 995
    !
    vlan 2/111
    untagged ethernet 1 ethernet 3 to 4
    router-interface ve 111
    !
    vlan 2/123
    untagged ethernet 7
    !
    vlan 2/884
    untagged ethernet 2
    router-interface ve 884
    !
    vlan 2/905
    router-interface ve 905
    !
    vlan 2/995
    router-interface ve 995
    !
    !

    !

    interface management device 1
    ip address 10.130.40.251 255.255.254.0
    ip default-gateway 10.130.40.1
    !
    interface management device 2
    ip address 10.130.40.252 255.255.254.0
    ip default-gateway 10.130.40.1
    flow-control
    !
    interface ethernet 1/3
    disable
    !
    interface ethernet 1/4
    disable
    !
    interface ethernet 1/6
    ip address 20.20.20.1 255.255.255.0
    !
    interface ethernet 1/7
    disable
    !
    interface ethernet 1/8
    disable
    !
    interface ve 1/111
    ip address 170.1.188.140 255.255.0.0
    !
    interface ve 1/112
    disable
    !
    interface ve 1/884
    ip address 192.168.202.253 255.255.254.0
    !
    interface ve 1/905
    disable
    !
    interface ve 1/995
    disable
    !
    interface ethernet 2/1
    speed 1000
    duplexity Full
    !
    interface ethernet 2/3
    disable
    !
    interface ethernet 2/4
    disable
    !
    interface ethernet 2/5
    disable
    !
    interface ethernet 2/6
    ip address 20.20.20.2 255.255.255.0
    !
    interface ethernet 2/7
    disable
    !
    interface ethernet 2/8
    disable
    !
    interface ve 2/111
    ip address 170.1.188.139 255.255.0.0
    !
    interface ve 2/884
    ip address 192.168.202.254 255.255.254.0
    !
    ip route 0.0.0.0 /0 192.168.202.11 device 1
    !
    ip route 0.0.0.0 /0 192.168.202.11 device 2
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !

    ha l3-inline-mode
    ha group 1 priority 1/100
    ha interface ethernet 1 no-heartbeat device 1
    ha interface ethernet 2 no-heartbeat device 1
    ha interface ethernet 6 device 1
    ha conn-mirror ip 20.20.20.1 device 1
    !
    ha group 1 priority 2/200
    ha interface ethernet 1 no-heartbeat device 2
    ha interface ethernet 2 no-heartbeat device 2
    ha interface ethernet 6 device 2
    ha conn-mirror ip 20.20.20.2 device 2
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip nat pool SLB-SNAT-IP 192.168.203.25 192.168.203.25 netmask /23 gateway 192.1 68.202.11 ha-group-id 1
    ip nat pool testnat2 170.1.188.136 170.1.188.136 netmask /16 gateway 170.1.2.3 ha-group-id 1
    !
    !
    !
    !
    !
    health monitor tcp_8080
    method tcp port 8080
    !
    health monitor tcp_445
    method tcp port 445
    !
    health monitor FTP
    method ftp
    !
    health monitor HTTP_8080
    method http port 8080
    !
    !
    !
    !
    !
    !
    !
    slb server BLUECOAT-PROXY_192.168.202.127 192.168.202.127
    health-check tcp_8080
    port 8080 tcp
    health-check tcp_8080
    !
    slb server BLUECOAT-PROXY_192.168.202.128 192.168.202.128
    health-check tcp_8080
    port 8080 tcp
    health-check tcp_8080
    !
    slb server BLUECOAT-PROXY_170.1.188.133 170.1.188.133
    health-check tcp_8080
    conn-limit 8000000 no-logging
    port 8080 tcp
    health-check tcp_8080
    port 8081 tcp
    health-check ping
    port 8082 tcp
    health-check ping
    !
    slb server BLUECOAT-PROXY_192.168.202.252 192.168.202.252
    health-check tcp_8080
    port 8080 tcp
    health-check tcp_8080
    !
    slb service-group Bluecoat-Proxy-Test-Xforwarder tcp
    health-check tcp_8080
    member BLUECOAT-PROXY_170.1.188.133:8080
    !
    slb service-group BLUECOAT-PROXY-Group tcp
    health-check HTTP_8080
    member BLUECOAT-PROXY_170.1.188.133:8080
    !
    !
    slb template tcp default
    insert-client-ip
    !
    slb template tcp ftp_longidle
    idle-timeout 15000
    !
    slb template tcp socks_longidle
    idle-timeout 15000
    !
    slb template tcp insertclient2
    insert-client-ip
    !
    slb template tcp TEST_TCp
    insert-client-ip
    !
    !
    slb template http X-Forwarded-For
    insert-client-ip X-Forwarded-For
    !
    slb template http clientip-insert
    insert-client-ip X-Forwarded-For
    !
    !
    slb template persist source-ip sourceip_persistence
    !
    !
    slb template persist destination-ip sticky
    match-type service-group
    !
    !
    slb virtual-server Bluecoat-Proxy-Test-Xforwarder 192.168.203.250
    ha-group 1
    port 8080 http
    name _192.168.203.250_TCP_8080
    source-nat pool SLB-SNAT-IP
    service-group Bluecoat-Proxy-Test-Xforwarder
    template http clientip-insert
    aflex X-Forwarded-For

    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !

    enable-management device 1 service ssh ethernet 1 to 8 ve 905
    enable-management device 1 service https ethernet 1 to 8 ve 905
    enable-management device 1 service snmp ethernet 1 to 8 ve 905
    disable-management device 1 service http management
    enable-management device 2 service ssh ethernet 1 to 8 ve 905
    enable-management device 2 service https ethernet 1 to 8 ve 905
    enable-management device 2 service snmp ethernet 1 to 8 ve 905
    disable-management device 2 service http management
    !
    !
    !
    !
    !
    monitor buffer-usage 711760
    !
    !
    !

    multi-config enable
    enable-core
    !
    !
    !
    no terminal auto-size
    terminal width 80
    terminal length 0
    !
    end

    A10SLB-1-Active-vMaster[1/1]#

    Please HELP.

    #14572
    avatar
    diederik
    Member

    Hello,

    Yes, indeed, you also need to instruct the Bluecoat to now look for the X-Fowarded-For information rather than use the client IP address as found in the IP headers.

    I’m not sure what exact Bluecoat setup you have, but a quick search lead me to this:

    Use Effective IP to Determine the Origin IP

    Greetings,

    Diederik

    #14582
    avatar
    mlmarcelo
    Member

    Hi Diederik

    Thanks for the link.

    Just a quick question for this

    “ip_address” specifies the HTTP proxy or load balancer IP address.

    Does this mean that i need to define the VIP of the VS or the Source NAT IP?

    Regards.

    #14632
    avatar
    diederik
    Member

    The way I understand it is that the “ip_address” identifies what source the packets are coming from and which ones the proxy need to match to apply the rule of looking into the X-Forwarded-For header.

    So, if you have setup a particular NAT-IP address on the SLB, you need to put that IP address in there.
    You need to put the IP address n there which the Proxy sees in the IP header as source IP address.

    #14642
    avatar
    mlmarcelo
    Member

    Hi Diederik,

    I already applied that but, result was still the same. I was prompting an error on ProxySG saying:

    Error: Expected ‘!’, ‘(‘, or a value: ‘<‘
    cpl.local:45: client.address=<192.168.203.250> \ client.effective_address(“$(request.header.X-Forwarded-For)”)

    BR.

    #14652
    avatar
    diederik
    Member

    Well, I think the system is telling you to not use the “<“…
    but of course, we are not a Bluecoat forum…

    try again with:

    client.address=192.168.203.250 \ client.effective_address(“$(request.header.X-Forwarded-For)”)

    #14662
    avatar
    mlmarcelo
    Member

    Still the same :(

    Error: Unknown tag: ‘\’
    cpl.local:44: client.address=192.168.203.250 \ client.effective_address(“$(request.header.X-Forwarded-For)”)

    #14672
    avatar
    diederik
    Member

    try removing that tag…

    \ is also often shown if something did not fit on one line…

    client.address=192.168.203.250 client.effective_address(“$(request.header.X-Forwarded-For)”)

    #14682
    avatar
    mlmarcelo
    Member

    With a error as well :(

    Error: Unknown tag: ‘client.effective_address’
    cpl.local:44: client.address=192.168.203.250 client.effective_address(“$(request.header.X-Forwarded-For)”)

    #14692
    avatar
    diederik
    Member

    Where are you configuring this?
    What version of OS are you running on the Proxy SG?
    Have you tried this:

    Configure Effective IP Using the VPM

    If these BlueCoat options do not seem to work on your BlueCoat system… I suggest you contact BlueCoat support :)

    #14702
    avatar
    mlmarcelo
    Member

    Yes, I’ve tried doing it on VPM and other ways to apply the script, but nothing happens.

    Software Version: SGOS 6.4.6.6 Proxy Edition

    Is there any way to show the orignal source client without affecting or configuring X Forwarded For on both devices? Like deployment method?

    BR.

    #14712
    avatar
    diederik
    Member

    Ok, first of all… is the setup working?
    I see you are redirecting port 8080 traffic to the Proxy, and you have the port type HTTP setup.
    So if the traffic flow working? Can clients browse the internet?

    Explicit proxy traffic looks like normal HTTP, but, is slightly different, the A10 might actually not be adding the header this might be due to the face the A10 sees it is explicit proxy traffic and not plain HTTP…

    If you setup your ProxySG to accept normal HTTP traffic and operate as a transparant proxy, the A10 will see the normal HTTP traffic and can add the header.

    This is the setup we normally use:
    https://www.a10networks.com/solutions/partner_solutions/blue-coat-systems-partner-solutions

    I’m not sure what happens if you just loadbalance the explicit proxy traffic.
    I expect the A10 can not alter the header and thus you will always see the NAT IP.

    #14722
    avatar
    diederik
    Member

    Btw, if you are setting up the clients to connect to the A10’s VIP address as explicit proxy address, you can also look into using one of the new features of the A10 CFW.

    It supports explicit proxy and can do proxy forwarding toward proxy systems like BlueCoat.

    This will require a CFW/CFW License and one fo the latest ACOS versions. I would strongly suggest the latest 4.1.1-P build, or even 4.1.4.

    #14732
    avatar
    mlmarcelo
    Member

    Hi Diederik,

    Yes, they can browse using the VIP but the problem is that on bluecoat proxy, it only see the Source NAT IP configured on A10, not their original IP.

    BR

    • This reply was modified 5 months ago by avatar mlmarcelo.
    #14752
    avatar
    diederik
    Member

    Personally I have never tested adding the X-Forwarded-For header when loadbalancing explicit proxy connections.
    Can you trace the traffic between the A10 and BlueCoat to confirm the header is added?
    If it is not added, open a case with A10 TAC/Support, they can confirm if it is supported, and if it is supported they can check what is going on on the A10.

    If in your traces you see the header is added, then you need to call BlueCoat support and have them figure out why you config does not take it into account.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

Comments are closed.