[f-nsp] Foundry source-nat problem

Youssef Ghorbal youssef.ghorbal at netplus.fr
Mon Dec 31 04:43:08 EST 2007 

Hi,

	This is a good idea in fact. But on the serverironXL (Stackebale  
edition) Hearder insertion is not supported. This feature is enabled  
on Chassis software 08.1.00S/R and later.

Regards,
Youssef Ghorbal
Netplus Communication
--------------------
On Dec 29, 2007, at 9:01 PM, Mike Lott wrote:

> Hi
>
> You need to enable HTTP Header insertion which also requires setting
> up a dummy URL switching policy. It's a bit long-winded but goes
> something like this (I administer a ServerIronGT setup, so YMMV).
> Please note this is from memory so might be slightly askew...
>
> Set up the dummy switching policy as follows:
>
> conf t
> url-map dummy1
> default 0
>
> Now, to your "server virtual" configuration add the following lines:
>
> port http url-map "dummy1"
> port http url-switch
> port http request-insert client-ip
>
> The best thing to do now in order to test that the header is indeed
> being added is to use tcpdump on the connection from the backend of
> the Foundry box, to one of your real servers (i.e. run tcpdump on the
> wire on one of the backend servers). I'm not going to go into the
> particulars of tcpdump here as it is very powerful, and as such, can
> be fairly complicated. There are plenty of resources out there...
> <http://dmiessler.com/study/tcpdump/>
>
> Unfortunately, it doesn't stop there :) You have to add this to the
> log format on the application servers you are using, otherwise they
> won't pick up the IP address. For example, I have been tinkering with
> Nginx (<http://nginx.net>), and under the server directive in the
> nginx.conf, I have to add the line "$http_client_ip" so that the
> header will be looked for and the IP logged.
>
> Whether the log format of whatever application you are using supports
> the header "Client-IP" is another thing entirely.
>
> HTH
>
> Mike
>
> On 28/12/2007, Youssef Ghorbal <youssef.ghorbal at netplus.fr> wrote:
>> Hi,
>>
>>         You're problem was treated priviously in this mailing list  
>> (mail
>> from : matthew.kirkland at uk.clara.net  Subject : [ServerIronXL]
>> accessing VIP from real server )
>>         I'll forward you the mails about this subject directly.
>>
>> Regards,
>> Youssef Ghorbal
>> Netplus Communication
>> ----------------------------------------------
>>
>> On Dec 21, 2007, at 11:01 AM, Jackie Yuen wrote:
>>
>>> Hi,
>>>
>>> We have several application servers directly connected to the
>>> foundry.  We
>>> have added an extra device on the same subnet behind the Foundry,
>>> lets call
>>> it Server A, that require to connect to the other servers with the
>>> Foundry
>>> VIP of these servers.   We have tested that by enabling the  
>>> source-nat
>>> feature, Server A is able to connect to the other servers with
>>> their VIP.
>>> However, this does not work for us because these application
>>> servers require
>>> to log the client original IP, the source-nat feature make all
>>> source IP as
>>> if coming from the SI.   Is there any way to work around?  Or can I
>>> configure using source-nat only for the traffic from Server A?
>>>
>>> Many thanks.
>>>
>>> Jack
>>>
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

More information about the foundry-nsp mailing list