Jump to content
Welcome to our new Citrix community!

X-Forwarded-For Header Insert Fail


Hoang Hung

Recommended Posts

You are using a REWRITE replace action to replace an existing x-forwarded-for header, does your originating request contain an existing x-forwarded-for or do you in fact need to do a first time insertion? 

If you have an existing x-forwarded-for that you are replacing, then it is likely you are no longer including the originating client ip as there is already like a proxy between the client and the VIP.

If an existing x-forwarded-for header doesn't exit, then you aren't doing an insertion at all.  In this case you need a rewrite action that does a INSERT HTTP HEADER, and a policy that hits when the header does not already exist.

 

How are you determining a failure?  Or are you not seeing a policy hit occur?

 

For additional troubleshooting:

1) Be sure the rewrite feature is enabled.

2) Add a log action that will result in a message being inserted into syslog when this policy hit occurs. You can use this to insert current client ip or existing header value, if needed.  You have to also update the global syslog parameters (System > Auditing, then change parameters in right pane) to include "user configurable messages" for these events to be included.

3)Confirm your policy binding is to the appropriate HTTP or SSL lb vserver(s) for insertion.

4)Finally, be sure if multiple rewrite policies are in effect, be sure the GoTo Expression binding is set to NEXT instead of END so multiple policies can apply. (NOTE: you cannot daisy chain rewrite policies on the same transaction; they must be doing different rewrites and not modifying the same header multiple times in a single request.)

 

 

 

 

Link to comment
Share on other sites

 

16 hours ago, Rhonda Rowland1709152125 said:

You are using a REWRITE replace action to replace an existing x-forwarded-for header, does your originating request contain an existing x-forwarded-for or do you in fact need to do a first time insertion? 

If you have an existing x-forwarded-for that you are replacing, then it is likely you are no longer including the originating client ip as there is already like a proxy between the client and the VIP.

If an existing x-forwarded-for header doesn't exit, then you aren't doing an insertion at all.  In this case you need a rewrite action that does a INSERT HTTP HEADER, and a policy that hits when the header does not already exist.

 

How are you determining a failure?  Or are you not seeing a policy hit occur?

 

For additional troubleshooting:

1) Be sure the rewrite feature is enabled.

2) Add a log action that will result in a message being inserted into syslog when this policy hit occurs. You can use this to insert current client ip or existing header value, if needed.  You have to also update the global syslog parameters (System > Auditing, then change parameters in right pane) to include "user configurable messages" for these events to be included.

3)Confirm your policy binding is to the appropriate HTTP or SSL lb vserver(s) for insertion.

4)Finally, be sure if multiple rewrite policies are in effect, be sure the GoTo Expression binding is set to NEXT instead of END so multiple policies can apply. (NOTE: you cannot daisy chain rewrite policies on the same transaction; they must be doing different rewrites and not modifying the same header multiple times in a single request.)

 

 

 

 

Thanks Rhinda Rowland

It is  fact need to do a first time insertion. We hope that my server can see source ip for all pepole ( need forward source IP in header packet). So we have config follow with link https://support.citrix.com/article/CTX218061

Finnally we are sure rewrite feature is enabled .

But sever not see source ip client 

Do you know policy apply for a rewrite action that does a INSERT HTTP HEADER ?

Plz hep us 

 

Thanks

Link to comment
Share on other sites

When you create your rewrite action, set the action type to INSERT_HTTP_HEADER.  (Its a drop-down list in the GUI)

Rewrite action types (insert header, insert before, insert after, replace, delete, delete header, etc...) can only be selected when creating the action. Once the action is created, this field isn't changeable but you can create a new instance.

 

CLI Example:

add rewrite action rw_act_inshdr_clientip insert_http_header "x-forwarded-for" "client.ip.src"
add rewrite policy rw_pol_inshdr_clientip '!http.req.header("x-forwarded-for").exists' rw_act_inshdr_clientip

bind lb vserver <lb vserver name> -policyName rw_pol_inshdr_clientip -priority 100 -gotoPriorityExpression NEXT -type REQUEST

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...