Log $http_x_forwarded_for behind Cisco ACE LB

dubstep · March 2, 2012, 11:58am

Hello !

I’m new to Nginx.

I installed Nginx (on Gentoo) instead of Apache behind a Cisco
LoadBalancer.

My problem is that the directive $http_x_forwarded_for always write
local IP of the LoadBalancer instead of Real IP.

But I have the good IP in the header HTTP_X_FORWARD.

I’ve tried lot of configurations but no one is good…

Do you have any idea ?

Thanks by advance,

Tib1

Posted at Nginx Forum:

Tib1 · March 2, 2012, 12:01pm

2012/3/2 Tib1 [email protected]:

But I have the good IP in the header HTTP_X_FORWARD.

perhaps something like this:

set_real_ip_from load_balancer_ip;
real_ip_header X-Forwarded-For;

ref: Module ngx_http_realip_module

Tib1 · March 2, 2012, 12:07pm

Nope, I’ve tried this but without success…

Posted at Nginx Forum:

Tib1 · March 2, 2012, 5:27pm

How can I get the full request header ?

Posted at Nginx Forum:

Tib1 · March 2, 2012, 5:46pm

Problem solved.
It’s the name of real_ip_header that was wrong in my CISCO system.

Thanks.

Posted at Nginx Forum:

Tib1 · March 2, 2012, 12:09pm

2012/3/2 Tib1 [email protected]:

Nope, I’ve tried this but without success…

I suggest posting the full request header sent by load balancer.

Tib1 · March 3, 2012, 6:59am

02 марта 2012, 15:01 от Edho A. [email protected]:

But I have the good IP in the header HTTP_X_FORWARD.

perhaps something like this:

set_real_ip_from load_balancer_ip;
real_ip_header X-Forwarded-For;

Replace X-Forwarded-For with X-Forward and that shouldl work.

You may want to update your Cisco ACE loadbalancing policy
map configuration to insert the standard X-Forwarded-For
instead of the X-Forward header by doing something like this
in Exec mode:

host1/Admin# show running-config policy-map

You should see something like this:

policy-map type loadbalance http first-match L7_LB_POLICY
class L7_LB_CLASS
serverfarm SERVER_FARM_1
insert-http x-forward header-value “%is”

Then just replace the header:

Host1/Admin# configure terminal
Host1/Admin(config)# policy-map type loadbalance first-match
L7_LB_POLICY
host1/Admin(config-pmap-lb)# class L7_LB_CLASS
host1/Admin(config-pmap-lb-c)# no insert-http X-Forward header-value
“%is”
host1/Admin(config-pmap-lb-c)# insert-http X-Forwarded-For header-value
“%is”
host1/Admin(config-pmap-lb-c)# exit
host1/Admin(config)# exit

If everything works as expected just save your configuration and that’s
it:
host1/Admin# copy running-config startup-config

Max

Tib1 · March 3, 2012, 10:52am

Thank you very much Max !

In fact, it was the name of the header that was wrong.

And I didn’t make the connection between the value in the Cisco ACE and
the value of the Nginx real_ip_header. I thought it was a constant.

So thank you again

Have a good day !

Posted at Nginx Forum: