This section discusses the advantages of using True Client IP and its configuration.
A proxy identifies the client IP from the Layer-3 header of the incoming connection. However, it is not always the actual client IP address. In a situation where there are proxies between the actual client and Avi Load Balancer, the intermediary proxy always adds the source IP address of the incoming connection into the X-Forwarded-For
header. It replaces the source IP address with its IP address as the source IP in the Layer-3 header while forwarding the request to the actual destination.
The true client IP feature enables fetching the actual client IP address from “X-Forwarded-For” or a user-defined header and tracking the actual client IP address into logs or configure policies such as HTTP Security, HTTP Request, and so on, based on the true client IP address.
Advantages of using True Client IP
You can log actual client IP address in the application logs at Avi Load Balancer.
The actual client IP address can be shared with the actual server (Avi Load Balancer can add the identified actual client IP as X-Forwarded-For, and the server can be configured to parse it).
You can configure HTTP policy, SSO policy, and so on, based on the actual client IP address.
True Client IP in Avi Load Balancer
With the implementation of true client IP, the following are supported:
Source IP is always the IP address from the IP header of the downstream connection (incoming).
Client IP is derived based on user configuration. It can be derived from the X-Forwarded-For or a user specified header, or it can be the same as Source IP.
With true client IP, the behavior is as shown below:
True Client IP Configuration |
Header Parameter |
Direction Parameter |
Index Count Parameter |
Behavior |
---|---|---|---|---|
Disabled (Default) |
X-Forwarded-For (Default) |
Left (Default) |
1 (Default) |
Client IP=Source IP |
Enabled |
True-User-IP (User defined) |
Left (Default) |
1 (Default) |
Client IP is the IP fetched from user defined header “True-User-IP” or from layer 3 header in case user defined header not found in the request or formatting error. IP is always from Layer-3 header |
For L4 applications, Source-IP and Client-IP would always be the same. In the case of HTTP applications, it can be different. By default, the feature is deactivated. After enabling true client IP, specify the desired header from where the client IP must be fetched.
If the user does not define any header, it will be fetched from the X-Forwarded-For
header. The specified header needs to have a format of a comma-separated list of IP addresses as a header value. If the format is not such, it will be ignored.
For instance, the format (header value format) is X-Forwarded-For: 1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4
You can configure only one header as of now to fetch client IP.