Forward Akamai's True-Client-IP via F5 BigIP

Question

Akamai returns client IP in True-Client-IP header. This can be disabled in Akamai settings so that Akamai will return client IP in HTTP-X-Forwarded-For header, but this will contain multiple IP addresses (Client IP, Proxy 1, Proxy 2, etc).

I need to retrieve the client IP in the web server (IIS 7.5), behind F5 load balancer.

What do I need to do in the F5?

Will F5 pass the True-Client-IP header to the web servers directly?

Or, should I change Akamai settings to return client ip in HTTP-X-Forwarded-For header instead?

Answer 1

I would use X-Forwarded-For because BIG-IP already has provisions to pass this through.

Depending on the version of BIG-IP, you can accomplish this in an iRule or in newer versions, X-Forwarded is a feature to enable within your HTTP profile. Then you just need to configure IIS to accept that new data.

https://devcentral.f5.com/questions/big-ip-http-profile-insert-x-forwarded-for-enabled

This should get you started. If you're pre 11.x TMOS, refer to this discussion:

https://devcentral.f5.com/questions/how-to-setup-x-forwarded-for-http-header-to-preserve-the-original-client-ip-address-for-traffic-translated-by-a-snat--25436

Update: By default IF using SNAT, you'll see the IP of the SNAT pool. X-Forwarded-For is the standard method for sending on client data for web applications. In 11.x BIG-IP, you can create an HTTP profile and check the X-Forwarded-For, and this will simply send on that external data to the web server. I think IIS 7.5 still requires custom logging filters to be setup to catch it, newer 8.X it's available as an option without doing too much.

This is all IF you're using SNAT (most people do). We do this because most people do not use the BIG-IP as the outbound gateway and SNAT corrects asynchronous routing issues. However, if you're using the BIG-IP as the outbound gateway for the IIS server, you can bypass the SNAT requirements; having both inbound and outbound traffic go through BIG-IP. In those cases, SNAT isn't required and you can always get the source IP data from the outside.

The downside is most of the time, the BIG-IP isn't the perimeter device and there still may be other devices that obfuscate the source IP. Because X-Forwarded-For is a separate header in the HTTP payload, it can bypass changing sources IP issues.

Hence, go for X-Forwarded-For.

Lemme know if you have other questions.