NSX Advanced Load Balancer Service Engines (SEs) source-NAT (SNAT) traffic is destined to servers, by default. Due to SNAT, logs on the application servers will show the layer 4 IP address of the SE rather than the original client’s IP address.

Most application servers can leverage the XFF header as the source IP address for logging or blocklisting.

For HTTP traffic, NSX Advanced Load Balancer can be configured to insert an X-Forwarded-For (XFF) header in client-server requests to include the original client IP addresses in the logging requests. This feature is supported for IPv6 in NSX Advanced Load Balancer.

To include the client’s original IP address in HTTP traffic logs, enable NSX Advanced Load Balancer to insert an XFF header into the client traffic destined for the server. XFF insertion can be enabled in the HTTP application profile attached to the virtual service.

  1. Navigate to Templates > Profiles > Application.

  2. Click the edit icon near HTTP Application Profile to open the following editor:

  3. Within the HTTP tab, select the X-Forwarded-For check box.

  4. Optionally the header can be renamed using the XFF Alternate Name field.

  5. To retain one or more X-Forwarded-For headers coming with the request, select XFF Header Handling. To know more see XFF Header Handling.



  6. Click SAVE.

The profile change affects any virtual services that use the same HTTP application profile.

When XFF header insertion is enabled, the SE checks the headers of client-server packets for existing XFF headers. If XFF headers already exist, the SE first removes any pre-existing XFFs, then inserts its own XFF header. This is done to prevent clients from spoofing their IP addresses.

Note:

If the client request contains an X-Forwarded-Proto header same as the one present in the application profile config, then NSX Advanced Load Balancer will send only a single X-Forwarded-Proto to the server.

XFF Header Handling

To retain one or more X-Forwarded-For headers coming with the request, when X-Forwarded-For is enabled, the option for XFF Header Handling is available:



This section explains the options available for replacing XFF headers in detail.

  • Select Replace XFF Headers to replace all incoming X-Forwarded-For headers with the header created in NSX Advanced Load Balancer as shown in the example below:



  • Select Append XFF Headers to append all the incoming XFF headers and the client IP address together as shown in the example below:



  • Select Add new XFF Header to adds new XFF headers with the client IP address as shown in the example below:



Keeping pre-existing XFF Headers

There are times when this behavior (removing pre-existing XFF headers) is not desired, such as when multiple proxies may be SNATing and inserting XFF headers. In this case, to insert an XFF header without removing pre-existing XFF headers, use either a DataScript or an HTTP Request Policy.

Example:

avi.http.add_header("XFF", avi.vs.client_ip())