X-Forwarded-For Header Insertion
By default, Avi Service Engines (SEs) source-NAT (SNAT) traffic destined to servers. Due to SNAT, logs on the application servers will show the layer 4 IP address of the SE rather than the original client’s IP address.
Most application servers can leverage the XFF header as the source IP address for logging or blocklisting. For HTTP traffic, Avi Vantage can be configured to insert an X-Forwarded-For (XFF) header in client-server requests, to include the original client IP addresses in the requests for logging.
Note: IPv6 is supported.
To include the client’s original IP address in HTTP traffic logs, enable Avi Vantage to insert an XFF header into the client traffic destined for the server. XFF insertion can be enabled in the HTTP application profile that is attached to the virtual service.
Navigate to Templates > Application Profile.
Click Create or edit an existing HTTP profile.
Under General, enter Name and select the Type as HTTP.
Under the HTTP tab, select the X-Forwarded-For check box.
Note: Optionally the header can be renamed using the XFF Alternate Name field.
Under XFF Alternate Name, enter the XFF Alternate Name to allow the XFF header insertion to use a custom HTTP header name.
Note: To retain one or more X-Forwarded-For headers coming with the request, starting with NSX Advanced Load Balancer 22.1.3, the option for XFF Header Handling is available.
Select the XFF Header Handling to configure how incoming X-Forwarded-For headers from the client are handled.
Configure the remaining fields in the Application Profile and click Save.
The profile change affects any virtual services that use the same HTTP application profile.
When XFF header insertion is enabled, the SE checks the headers of client-server packets for existing XFF headers. If XFF headers already exist, the SE first removes any pre-existing XFFs, then inserts its own XFF header. This is done to prevent clients from spoofing their IP address.
Note: If the client request contains an X-forward-proto header same as the one present in the application profile config, then NSX Advanced Load Balancer will send only a single X-forward-proto to the server.
Keeping Pre-existing XFF Headers
There are times when this behavior (removing pre-existing XFF headers) is not desired, such as when multiple proxies may be SNATing and inserting XFF headers. In this case, to insert an XFF header without removing pre-existing XFF headers, use either a DataScript or an HTTP Request Policy.
Document Revision History
|January 31, 2023||Updated the content for XFF Header Handling (version 22.1.3)|
|July 15, 2022||Updated the content for X-Forwarded-For Header Insertion (version 22.1.1)|