[f-nsp] Foundry source-nat problem
Mike Lott
lists.accounts at gmail.com
Sat Dec 29 15:01:07 EST 2007
Hi
You need to enable HTTP Header insertion which also requires setting
up a dummy URL switching policy. It's a bit long-winded but goes
something like this (I administer a ServerIronGT setup, so YMMV).
Please note this is from memory so might be slightly askew...
Set up the dummy switching policy as follows:
conf t
url-map dummy1
default 0
Now, to your "server virtual" configuration add the following lines:
port http url-map "dummy1"
port http url-switch
port http request-insert client-ip
The best thing to do now in order to test that the header is indeed
being added is to use tcpdump on the connection from the backend of
the Foundry box, to one of your real servers (i.e. run tcpdump on the
wire on one of the backend servers). I'm not going to go into the
particulars of tcpdump here as it is very powerful, and as such, can
be fairly complicated. There are plenty of resources out there...
<http://dmiessler.com/study/tcpdump/>
Unfortunately, it doesn't stop there :) You have to add this to the
log format on the application servers you are using, otherwise they
won't pick up the IP address. For example, I have been tinkering with
Nginx (<http://nginx.net>), and under the server directive in the
nginx.conf, I have to add the line "$http_client_ip" so that the
header will be looked for and the IP logged.
Whether the log format of whatever application you are using supports
the header "Client-IP" is another thing entirely.
HTH
Mike
On 28/12/2007, Youssef Ghorbal <youssef.ghorbal at netplus.fr> wrote:
> Hi,
>
> You're problem was treated priviously in this mailing list (mail
> from : matthew.kirkland at uk.clara.net Subject : [ServerIronXL]
> accessing VIP from real server )
> I'll forward you the mails about this subject directly.
>
> Regards,
> Youssef Ghorbal
> Netplus Communication
> ----------------------------------------------
>
> On Dec 21, 2007, at 11:01 AM, Jackie Yuen wrote:
>
> > Hi,
> >
> > We have several application servers directly connected to the
> > foundry. We
> > have added an extra device on the same subnet behind the Foundry,
> > lets call
> > it Server A, that require to connect to the other servers with the
> > Foundry
> > VIP of these servers. We have tested that by enabling the source-nat
> > feature, Server A is able to connect to the other servers with
> > their VIP.
> > However, this does not work for us because these application
> > servers require
> > to log the client original IP, the source-nat feature make all
> > source IP as
> > if coming from the SI. Is there any way to work around? Or can I
> > configure using source-nat only for the traffic from Server A?
> >
> > Many thanks.
> >
> > Jack
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
More information about the foundry-nsp
mailing list