Sticky using X-Forwarded-For

Similar Messages

• Capture IP without using X-Forwarded For

                    Hello Friends,
  We are running a web-application that has a login on the very first page.
  We want to capture the real IP addresses of all the customers that visit our application.
  We have Cisco layer 3 Load balancer configured in a shared mode with Natting.
  We are running IBM http server over Apache. 
  We proposed using "X-Forwarded For" header to capture client IP but were not allowed due to known vulneabilities associated with X-Forwarded for.
  We want to capture client IPs for "http" and "https" without using "X-Fwd for".
  Can someone kindly suggest if there is any alternate to it?
  If yes then how to implement it?

  Hi Vivek, adding X forwarded method.to load balance policy. So that source ip address is added to HTTP header, is the only method. Unless the application itself does not request source ip add in the header. Which can be passed through the load balancer.
  Sent from Cisco Technical Support Android App

• Configuring CF10 to use X-forwarded-for instead of remote_addr

  I am using an AWS instance behind a load balancer with NAT. It has its advantages, but one of its disadvantages is the remote_addr coming through is the remote_addr of the ELB.
  http://leaguemanager.playerspace.com/test.cfm
  What I'm trying to do is trick or configure the CF10 Administrator > Debugging and Logging > Enabled Request Debugging Output to use the x-forwarded-for as opposed to the remote_addr so I can use server debugging without that information being made visible to the public.
  Is this possible by, say, modifying a file somewhere, to have the IP addresses set in Debugging and Logging > Debugging IP Addresses to be matched with the true client's personal IP (x-forwarded-for)?
  JS

  Never mind, I figured it out.
  c:\coldfusion10\cfusion\runtime\conf\server.xml
  Added
  <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />

• ACE30 Load balancing based on IP and using x-forward-for header

  Hi Guys,
  We currently have a load balancing policy setup to direct traffic to say FARM-A based on a particular range of source (client) IP addresses, and the default FARM-B for all the other traffic.
  We are now looking to introduce a web application firewall (WAF) before the ACE.  The WAF will be inserting the client IP address into the x-forward-for http header.  Now I was wondering how best can be achieve the load balancing based on source IP given that we'll have to parse the HTTP header for this x-forward-for field?  Are there any examples that anyone can point me to? 
  let me know if you have any questions.
  thanks
  Sheldon

  Hi Sheldon,
  You might try creating a class map that matches on the XFF header. Then use that as the L7 load balance criteria (based on the hash value of the XFF header), using the predictor hash header.
  -Alex

• CSS 11501 Load Balancing with X-forwarded-for

  Hi,
  We have a pair of CSS 11501,
  Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
  However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
  This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
  Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
  This way we are able to also send it back to the same server when it uses SSL.
  I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
  Regards

  Hi,
  Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
  One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
  In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
  Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
    content HTTP-HTTPS
      vip address 10.198.44.70
      advanced-balance sticky-srcip
      add service server1
      add service server2
      add service server3
      add service server4
      add service server5
      protocol tcp
      active
  Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
  Thanks,
  Rodrigo

• ACE30/4710 - will x-forwarded-for work for non standard HTTP Ports?

  Can I use x-forwarded-for on an ACE30 or ACE4710 to pass source IP details if my web service isn't using Port 80 or 443?  Will it work satisfactorily for HTTP running on other ports (e.g. Port 8080)?

  Hi,
  It inserts this header in HTTP which normally listens on 80. Even though HTTP is listening on any different port, we should be able to insert the header. This should work fine.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Why I can't update my ios to ios6? It always display that..Error in updating..I am using ipad3. Please help me update my ios. Looking forward for your kind support and cooperation. Thank you.

  Why I can't update my ios to ios6? It always display that..Error in updating..I am using ipad3. Please help me update my ios. Looking forward for your kind support and cooperation. Thank you.

  Why I can't update my ios to ios6? It always display that..Error in updating..I am using ipad3. Please help me update my ios. Looking forward for your kind support and cooperation. Thank you.

• HT4899 Is there a way I can delete my primary @me email address so that I can receive emails only via my "reserved" @icloud address. The reason being, I receive a fair bit of spam to my @me address. Going forward I plan on using an alias for certain websi

  Is there a way I can delete my primary @me email address so that I can receive emails only via my "reserved" @icloud address. eg. delete "msjones@me" and receive emails via "msjones@icloud" only.The reason being, I receive a fair bit of spam to my @me address. Going forward I plan on using an alias for certain websites to minimise this problem.

  You can't delete the address, but you can set up a Rule to move messages to that address to the Trash or another folder. Go to http://icloud.com and go to the Mail page, click the cogwheel icon at top right and choose 'Rules'.
  It's a bad idea to post your email address - it's an invitation to spam - even though in fact you haven't posted them in full; I've asked the hosts to remove them.

• I use my IPod for Audio Books, how do I 'fast forward', I use my IPod for Audio Books, how do I 'fast forward'

  I use my IPod for Audio Books, how do I 'fast forward',

  While listening to an audiobook, click the Center button twice to reveal the scrubber bar. Use the scroll wheel (like you do to move up and down the menus) to fast forward or rewind through the audiobook or audiobook track.
  B-rock

• How do you set up Port Forwarding for ARD 2.2 in AEB N?

  Help,
  I'm a novice at Apple Remote Desktop (ARD) - not an IT guy, so it has to be pretty basic and detailed.
  How do you set up Port Forwarding for ARD 2.2 on the Apple Airport Extreme BS router, 802.11 N. I have one at each end of the internet connection. At one end I have an Airport Extreme N router with 2 macs and eventually 1 windows XP machine (if I can) that I would like to be able to connect to over the interenet (the clients) and at the other end, I have a Mac with ARD 2.2 installed also with an Airport Extreme N router. Note: Both routers use Static IP addresses and all computers use static IP's internally not through DHCP. What are the settings or directions to do this.
  I have read and printed out the directions for Configuration of ARD 3.0 that are posted many times in the ARD discusion group, but it uses a Linksys router ( http://www.starkpr.com/ard.htm posted by Dave Sawyer). The Mac router is different, particularly with the place to set a Private IP address. I'm not sure about alot of things, but especially about the Private IP address, what number do I set it to, the one that is in my Network connections list? It automatically changes to a different number in AE N setup for Port Forwarding (by one) as if it is not suppose to the same?????
  Are there any directions available that are as straight forward for the Airport Extreme N router, as the one's that are listed here for the Linksys Router's? ( http://www.starkpr.com/ard.htm )
  Any and All help will be greatly appreciated.
  P.S. I know I should have 3.0 but bought 2.2 just weeks before 3.0 came out and they would not give me an upgrade price, so I'm waiting for 4.0 to upgrade.
  Thanks,
  Jim

  Try the following for each AirPort Extreme ...
  AEBSn - Port Mapping Setup
  To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
  1. Reserve a DHCP-provided IP address for the host device.
  Internet > DHCP tab
  o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
  o Description: <enter the desired description of the host device>
  o Reserve address by: MAC Address
  o Click Continue.
  o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
  o IPv4 Address: <enter the desired IP address>
  o Click Done.
  2. Setup Port Mapping on the AEBSn.
  Advanced > Port Mapping tab
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s): 3283
  o Public TCP Port(s): 3283
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s): 3283
  o Private TCP Port(s): 3283
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5900
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5900
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5988
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5988
  o Click "Continue"
  (ref: "Well Known" TCP and UDP ports used by Apple software products)

• Can I use a domain for one site and mobile me for a different site?

  Can I use a domain for one site and mobile me for a different site?
  I have two sites, I would like to have up and I would like to do one through a domain and one through mobileme is this possible?

  Yes you can. You can use the CNAME method of forwarding for the first site (the top site in iWeb) and use the MMe URL for your account for the other site: http://web.me.com/YourAccount_Name/SiteName/
  OT

• Use Redis Cache for Multiple Applications

  Hi,
  I did some searches and could not come up with a straight forward answer so I am hoping someone here can clarify this for me.
  We have two different products that we have built in .NET that we host in Azure as websites. For each of these two products we have multiple clients. Each product and client pair has its own SQL database and its own website setup in Azure.
  We would like to start using Redis Cache for the session of these products. Do I need to:
  1) Create 1 Redis Cache and use it for all clients / products?
  2) Create 2 Redis Caches and use one per product (redis caches needed = # of products)?
  3) Create an individual Redis cache for each client / product pair (redis caches needed = # of products x # of clients)?

  You can do either of the above. It would really depend on how much load are you expecting on the Cache
  For separation and load balancing it might be better to have a Cache per Website
  For a Cache to be useful it should be closer to the Web tier, so ensure that you provision the Cache in the same region as the Website.

• In Firefox 3.6.10 I was able to go forward and backwards between pages without the page defaulting to the top of the page. Is there any way to prevent the page from automatically moving to the top when using the forwards and back buttons in Firefox Four?

  I like to be able to navigate backwards and forwards without having to scroll down and find where I was previously. In Firefox Four, when using the forwards and back buttons, the page will automatically return to the top of the page. Is there any way to change this setting in Firefox Four to prevent it from doing that?

  Thanks for the response. No Time Machine, but I probably have a backup from a few months ago on an external hard drive. :/ I guess it'd have useful history, but not if it overwrote the last 3 months or so of Awesome Bar, that might not be so great.

• Port forwarding for clientless SSL VPN access

  Hello,
  I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
  However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
  But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
  Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
  If this doesn't make sense, please let me know and I'll do my best to explain it better.

  Hi Caleb,
  if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
  CLI:
  ciscoasa(config) webvpn
  ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
  ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
  then you apply the port-forwarder list under a group-policy
  Hope this helps
  Mashal
  Mashal Alshboul

• Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

  I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 
  I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
  I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
  Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
  With the port forwarding in place, I tested VPN externally but it didn't connect.
  I've done the following so far to no avail:
  Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
  There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
  There was an L2TP port triggering rule enabled, that I toggled on and off with no change
  Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
  Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
  My router details:
  Verizon Actiontec
  MI424WR-GEN2
  Revision E
  Firmware 20.21.0.2
  Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
  Solved!
  Go to Solution.

  normally a vpn on that router, will have a GRE tunneling protocol as well.
  two ways to build the PF rules,
  Manually
  Preconfigured
  I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.