If you plan to add an ISAPI filter is not supported on your web server to deal with this problem, STOP!
Use NetScaler AppExpert policy instead.
Background
Sometimes intermediate proxies and firewalls will hide the true source IP address of the client TCP / IP connections. But many times its necessary to the application servers to be aware of the real IP address clients. The x-forward-to (XFF) is an entry found in an HTTP header, which solves this problem and identifies the true source IP address of clients. (And sometimes intermediate devices) The header of XFF get in HTTP requests through intermediate proxy servers that hide the source IP address of client connections
X-Forwarded-For: . Customer
This is how it looks in a GET request:
GET / HTTP / 1.1 Host: www.badstore.net User-Agent: Mozilla Firefox / 3.0.3 Accept: text / html, application / xhtml + xml, application / xml Accept-Language: en-us, Accept-Encoding: gzip, deflate Keep-Alive: 300 x-forward-to: 192.168.0.3 Connection: keep-alive
When more agents are in the communication channel, these devices will append to the existing XFF the source IP address they receive. Each successive proxy from an application adds the IP address where it received the request. This results in the header XFF having multiple IP addresses:
X-Forwarded-For: customer proxy1, Proxy2
Sometimes these IP addresses multiple additional proxy information cause problems for our Web servers. They may be waiting to see a single IP address and not know how to cope with additional information. This could result in failed logging or even cause an application to crash.
Solution
If multiple IP addresses in the header XFF are the cause of your problems applications, NetScaler AppExpert a policy can quickly solve this problem. The following policy will remove all but the first value in the list comma delimited IP addresses from the XFF:
add rw_XFF_strip_extraIPs rewriting action to remove "HTTP.REQ.HEADER (" x -prospectifs for "). AFTER_REGEX (re / ^. {1,3} {1,3} \ .. \ .. \ .. {1,3} {1,3} /)"
add rewrite rw_XFF_present policy "HTTP.REQ.HEADER (" x-forward-to "). EXISTS" rw_XFF_strip_extraIPs
bind lb vserver
Removing xff additional addresses will leave real client IP address in the header field x-forward-by himself. But make sure to disable XFF insertion head to the service and instead make the Rewrite module. Otherwise, you may end up with two xff headers in the HTTP request. The following rewrite policy insert the XFF if it is not already present:
add action rewriting rw_XFF_insert insert_http_header x-forward-to CLIENT.IP.SRC
add rewriting policy rw_XFF_not_present " HTTP.REQ.. HEADER ( "x-forward-to ") "rw_XFF_insert
bind lb vserver EXISTS.NOT
References:
http://en.wikipedia.org/wiki/X-Forwarded-For
0 Komentar