Configuring CF10 to use X-forwarded-for instead of remote_addr

Similar Messages

• Capture IP without using X-Forwarded For

                    Hello Friends,
  We are running a web-application that has a login on the very first page.
  We want to capture the real IP addresses of all the customers that visit our application.
  We have Cisco layer 3 Load balancer configured in a shared mode with Natting.
  We are running IBM http server over Apache. 
  We proposed using "X-Forwarded For" header to capture client IP but were not allowed due to known vulneabilities associated with X-Forwarded for.
  We want to capture client IPs for "http" and "https" without using "X-Fwd for".
  Can someone kindly suggest if there is any alternate to it?
  If yes then how to implement it?

  Hi Vivek, adding X forwarded method.to load balance policy. So that source ip address is added to HTTP header, is the only method. Unless the application itself does not request source ip add in the header. Which can be passed through the load balancer.
  Sent from Cisco Technical Support Android App

• Sticky using X-Forwarded-For

  Hello,
    I have a back-end ACE which needs to create a sticky based on a header value. The  X-Forwarded-For header is perfect as it indicates the original client ip.  There is a front end ACE which is setting the header correctly.
    My goal is to have the sticky associate every subsequent request originating from the same client ip (X-Forwarded-For value) to go to the same backend server.  This application opens multiple sessions and they all need to go to the same backend server.
    Does anyone have an example of what that backend ACE config would look like?

  Hi Joseph,
  If I understood you correctly, you now configured the ACE to insert a header with the client IP in it. Am I right? If so, this is not going to work
  For stickiness to work properly, you would need to ensure that the client (or the proxy before the ACE) is inserting a string on the request that remains constant throughout all the connections from a single client. The moment this string changes, the ACE will no longer be able to find a valid sticky entry and just send the request to another server.
  If the header stickiness is not working properly due to the changing headers, you could always try using cookie stickiness instead. The ACE can insert a cookie for stickiness purposes, and there is no reason for the client to modify it.
  Daniel

• ACE30 Load balancing based on IP and using x-forward-for header

  Hi Guys,
  We currently have a load balancing policy setup to direct traffic to say FARM-A based on a particular range of source (client) IP addresses, and the default FARM-B for all the other traffic.
  We are now looking to introduce a web application firewall (WAF) before the ACE.  The WAF will be inserting the client IP address into the x-forward-for http header.  Now I was wondering how best can be achieve the load balancing based on source IP given that we'll have to parse the HTTP header for this x-forward-for field?  Are there any examples that anyone can point me to? 
  let me know if you have any questions.
  thanks
  Sheldon

  Hi Sheldon,
  You might try creating a class map that matches on the XFF header. Then use that as the L7 load balance criteria (based on the hash value of the XFF header), using the predictor hash header.
  -Alex

• How to configure Mail to use different ports for POP and SMTP?

  I am trying to configure Mail for my AT&T account. It requires me to configure POP (incoming) mail for port 995, and SMTP (outgoing) mail for port 465. However there doesn't seem to be an option to configure different ports for these. Is that correct, or am I missing something?
  Alternatively can I configure two accounts, one for POP incoming and one for SMTP outgoing? My incoming POP account does work, but in configuring an outgoing account I still have to configure a POP server name and that will not work for the outgoing port.
  Any advice on how to solve this would be appreciated.

  Understand. It is really quite easy to do in Mail, too. Kappy told you how to set up the smtp piece. I gave you pop info. These two things are on different panels within Account Preferences.
  To recap his and my posts
  SMTP:
  In Mail Prefs, click on the accounts icon. Click on your att yahoo account on the list. On the right of the window, in the lower portion, you see an smtp server menu. Open it and select edit. Select Edit Server, then click on its Advanced tab. Set up port 465 with SSL.
  POP:
  This is on a different panel in Mail PRefs Accounts. Now in Mail Prefs, click on the accounts icon. Click on your att yahoo account on the list. On the right of the window, you see three tabs, acc't info, mbox behaviors, and Advanced. This is where things are different than for smtp. You are going to configure stuff on a different "advanced" panel than where you were for the smtp stuff. Click on the advanced tab. There is a field for port with a SSL checkbox next to it and an authentication drop down menu. Check the box and it should quickfill change from 110 to 995. Autentication drop down is probably already default to password.
  Did you visit the URL I gave you previously? It even gives you screen shots.

• Configure studio to use vi mode for editing

  Hello,
  I read the documentation and didn't find the instruction on how to configure studio or debug tools to use vi when editing the file.
  Can I ask the suggestions how to get it done?
  thank you.
  tom

  The jVi module is not built-in. It is a NetBeans plugin.
  Once you downoad and expand the stuff from the SourceForge site you'll
  end up with a directory which contains com-raelity-jvi.nbm and org-netbeans-modules-jvi.nbm.
  then from the SolStudio IDE or dbxtool chose Tools->Plugins.
  Choose the Downloaded tab and click on AddPlugins.
  Choose those two nbm's and let the plugin wizard guide you.

• Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 IP for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS which is in a different .Domain

  Hi,
  Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 Ip for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS . ?
  Scenario: We are building 1 SCCM 2012 primary site and 2 DPs in one domain . In future this will attach to a CAS server which is in different domain. Can we assign  2 IPs in Primary site server , one IP will use to communicate with its 2 DPs and second
  IP for communicating with the CAS server which is in a different domain.? 
  Details: 
  1)Server : Windows 2012 R2 Std , VM environment .2) SCCM : SCCM 2012 R2 .3)SQL: SQL 2012 Std
  Thanks
  Rajesh Vasudevan

  First, it's not possible. You cannot attach a primary site to an existing CAS.
  Primary sites in 2012 are *not* the same as primary sites in 2007 and a CAS is 2012 is completely different from a central primary site in 2007.
  CASes cannot manage clients. Also, primary sites are *not* used for delegation in 2012. As Torsten points out, multiple primary sites are used for scale-out (in terms of client count) only. Placing primary sites for different organizational units provides
  no functional differences but does add complexity, latency, and additional failure points.
  Thus, as the others have pointed out, your premise for doing this is completely incorrect. What are your actual business goals?
  As for the IP Addressing, that depends upon your networking infrastructure. There is no way to configure ConfigMgr to use different interfaces for different types of traffic. You could potentially manipulate the routing tables in Windows but that's asking
  for trouble IMO.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• ACE30/4710 - will x-forwarded-for work for non standard HTTP Ports?

  Can I use x-forwarded-for on an ACE30 or ACE4710 to pass source IP details if my web service isn't using Port 80 or 443?  Will it work satisfactorily for HTTP running on other ports (e.g. Port 8080)?

  Hi,
  It inserts this header in HTTP which normally listens on 80. Even though HTTP is listening on any different port, we should be able to insert the header. This should work fine.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Is it possible to configure CF10 or CF11 to use Xerces XML parser instead of Saxon XML parser?

  Could anyone tell me if it is possible to configure CF10 or CF 11 to use the older Xerces XML parser instead of the Saxon XML parser.
  I am in the process of migrating a website from CF8 to CF11. Several sections rely on XML transformation, which no longer work in CF11. After investigating the problem it seems to be that the Saxon Parser is more strict, causing these errors.

  Well I guess Parsers would be better solution. As u said u need to insert node at specific location.
  so now u have to decide which parser u need to choose according to u r requirmnet. DOM or SAX maily.
  Both has adv and di-advs.
  ...yogesh

• WRT54G....Can I set DHCP to use the router for DNS instead of external DNS?

  Hi folks. I cant' get my router to have DHCP tell my PCs that the router should be the DNS server instead of the external servers it is using. I am using Comcast Cable internet. It sets the external DNS servers for every PC that connects to it and I have problems finding my PCs on my network by NetBIOS name because the external DNS servers obviously don't store my local PCs. How can I set the router up to set DHCP to use the router for DNS?

  If you cannot set the DNS server in the configuration page for the DHCP server in your router then your router does not support this.
  This won't solve your problem though. The DNS server on the router is a simply forwarder. It simply forwards the DNS requests from your computer to the ISP's DNS servers. The DNS server does not accept dynamic updates to a private zone inside your LAN. And DNS is pretty much unrelated to the standard windows workgroup browsing which does the actual name resolution inside your LAN. That name resolution even works without a router inside your network. Basically all windows computers in your network periodically broadcast their name to the network. One windows computers is elected "master browser" which collects all these names and provides the name resolution service for all computers in the workgroup.
  If this does not work it is most likely a windows configuration problem. It could be a software firewall on the computers which blocks traffic. It could be that the computers are not setup for file/printer sharing and thus have the computer browser disabled. It could be that your computers have a WINS server configured which does not exist. There are probably more causes. The better source to ask this question would probably a Microsoft support group. They deal with these kinds of issues more often and maybe a MVP may be able to point you into the right direction or give some links to step-by-step instructions...

• How do i use my number for imessaging instead of my email

  how do i use my number for imessage instead of email

  Hello there, qbullard.
  The following Knowledge Base article reviews the process for adding your number to iMessage:
  iOS 6 and OS X Mountain Lion: Link your phone number and Apple ID for use with FaceTime and iMessage
  http://support.apple.com/kb/HT5538
  Thanks for reaching out to Apple Support Communities.
  Cheers,
  Pedro D.

• Can i use an alternate email instead of an apple ID for iMessage?

  can I use an alternate email instead of an apple ID for iMessage?

  iOS and OS X: Link your phone number and Apple ID for use with FaceTime and iMessage - Apple Support

• I can't search for books or authors on my iphone 6. It says no results found every time. Is there some setting I may have wrong? I have been using my kindle app instead.

  I can't search for book or authors in ibooks.  When I search an author or book and click on it a message that says not results found comes up.  Even if I try to look up something popular like Dracula or Twilight.  Is there some setting I should have clicked?  It won't find or download any books at all anymore.  This started about a month ago.  I have been using my Kindle app instead. 

  Hi laurieg23,
  I see that you are having issues with your connection to the iBooks Store. Here is an article with some troubleshooting steps that will be relevant to your issue, even though the article was written for issues with the iTunes Store:
  Troubleshoot issues on an iPhone, iPad, or iPod touch
  If you haven't been able to connect to the iTunes Store:
  Make sure your date, time, and time zone are correct in Settings > General > Date & Time.
  Note: Time Zone may list another city in your time zone.
  Make sure that your iOS software is up to date by tapping Settings > General > Software Update(iOS 5 or later) or connecting your iOS device to iTunes and clicking Check for Update on your device's Summary page.
  Check and verify that you're in range of a Wi-Fi router or base station. If you're on a device with cellular service, make sure that cellular data is turned on from Settings > General > Cellular.
  Note: If connected to cellular data, larger items may not download. You may need to connect to Wi-Fi to download apps, videos, and podcasts.
  Make sure that you have an active Internet connection. You can check the user guide for your device for help with connecting to the Internet.
  Make sure that other devices (portable computers, for example) are able to connect to the Wi-Fi network and access the Internet.
  Try resetting (turning off and then on again) your Wi-Fi router.
  If the issue persists, try troubleshooting your Wi-Fi networks and connections.
  Can't connect to the iTunes Store - Apple Support
  https://support.apple.com/en-is/HT201400
  Take care, and thanks for visiting the Apple Support Communities.
  Cheers,
  Braden

• Can we Use T Code MIRA instead of MIRO for posting incoming invoice?

  Hi All,
  Can we Use T Code MIRA instead of MIRO for posting incoming invoice?
  While trying to post a incoming invoice using MIRO, I am getting a error "HKONT is EMPTY". But when using MIRA i could get the invoice posted.
  And in which situations we use MIRA?
  Thanks in Advance
  Gopi Krishna

  Hello
  MIRA is for Invoice Verification in the Background
  Purpose
  This process is suitable for the following transactions:
  Posting invoices with mass amounts of data for which no item check is required
  Posting invoices referring to transactions not yet entered in the system
  Entering Invoices for Verification in the Background (Without Item List)
  When verifying invoices in the background, you enter only a small set of document header data, such as the invoice amount, the currency and the tax information. You also allocate the incoming invoice to a purchasing document or a vendor. The system saves the data and allocation criteria you enter.
  At a later point, the system verifies the invoice in the background. It uses the allocation criteria you entered to determine the item list. It then calculates the net total from the item list.
  If the net total = gross amount invoiced - tax amount (+/- tolerance), the system posts the invoice in the background.
  If the net total ¹ gross amount invoiced - tax amount (+/- tolerance), the system does not post the invoice in the background. It saves the document header data and the items determined in the background; the saved document then has to be processed manually in Invoice Verification.
  With Invoice Verification in the background, the system does not check for any quantity or price differences at item level. Since you do not enter any actual invoice item data, the system uses the default data for comparison.
  Regards
  Gregory Mathews