This section discusses the steps to configure True Client IP in NSX Advanced Load Balancer.

Configuring True Client

Starting with NSX Advanced Load Balancer 22.1.3, True Client IP can be enabled and configured using the UI.

To enable True Client IP from the UI,

  1. Navigate to Templates > Profiles > Application.

  2. Create or edit an Application Profile of type HTTP.

  3. Select the Enable True Client IP check box.

  4. Select the Index Direction to define which direction the client IP index must be counted from.

  5. Enter the index of the entry to be picked from the specified header’s values. The default value is 1 and the first IP value from the user-specified header in the direction specified in the Index Direction will be picked if the value is 1. On increasing the Index in Header value, the IP that corresponds to the index value will be picked. For example, if the Index in Header is 3, the third IP from the specified direction will be picked.

  6. Under Headers to Find True Client IP, click Add and enter the custom header. If no custom header is entered and if the Enable True Client IP check box is selected, the X-Forwarded-For header, if available, is used.



  7. Configure the other fields and click Save.

Follow the steps below to configure True Client IP in NSX Advanced Load Balancer using the CLI.

Enabling True Client IP

Enable the use_true_client_ip field for the desired custom HTTP profile.

  1. Access the CLI by logging into the NSX Advanced Load Balancer Shell.

  2. Configure the custom HTTP profile by using the following command:

    configure applicationprofile <name of the custom http profile>
  3. Enable True Client IP using the following command:

    http_profile use_true_client_ip.

Configuring the Parameters

Use the following parameters with the true_client_ip parameter:

  • Headers (optional), define the desired HTTP header from where the client IP needs to be fetched. If not specified, by default, “X-Forwarded-For” is configured.

  • Direction (optional), define the direction to count the IPs in the specified header value. By default, the value is Left.

  • Index_in_header (optional), define the position in the configured direction in the specified header’s value. By default, the value is 1.

Define the parameters for True_Client_IP (header name, direction, and index in the header) as shown below:

true_client_ip headers <name of the header> <direction> <index in the header>
Note:

The valid range for true client IP index is 1-1000.

After configuring the parameters as required, save the configuration.

Use cases

The following features can be configured to use actual client IP:

  • HTTP Policies

    • HTTP Security/ Request/ Response policy match based on client IP can be configured.

  • DataScripts: Client IP based API, Rate limiting API

The following features are affected after enabling True Client IP:

  • Application Logs: Client IP (v4 and v6) in Application Log

  • Analytics Policy

    • Client Log filter match for Client IP

    • RUM/ Client Insights Sampling – Client IP address to check when inserting RUM script

  • Rate Limit based on client IP

  • Compression Filter based on client IP

  • Match based on client IP in SSO policy

  • Allow list based on client IP in WAF policy

  • WAF: Modsec Rules

  • Allow list based on client IP in Bot Management Policy

  • IP Reputation

  • Geo Location-based Features

  • True Client IP in DOS Analytics Reports

Upgrade

By default, True Client IP is deactivated. Hence while upgrading the NSX Advanced Load Balancer, all instances where client IP is referred to will refer to Source IP, and no change in behavior is evident.

If True Client IP is enabled later, all the instances that refer to client IP will refer to True Client IP. To use Source IP specifically in any such places, explicitly change the configuration.

Examples

True Client IP Configuration

Header Parameter

Direction Parameter

Index Count Parameter

Request Details

Behavior

Enabled

X-Forwarded-For

Left

3

X-Forwarded-For:1.1.1,2.2.2.2,3.3.3.3,4.4.4.4

Client IP = 3.3.3.3Source IP=from layer-3 header

Enabled

X-Forwarded-For

Left

4

X-Forwarded-For:1.1.1,2.2.2.2,3.3.3.3,4.4.4.4

Client IP = 4.4.4.4Source IP=from layer-3 header

Enabled

X-Forwarded-For

Left

5

X-Forwarded-For:1.1.1,2.2.2.2,3.3.3.3,4.4.4.4

Client IP = 4.4.4.4Source IP=from layer-3 header

Enabled

X-Forwarded-For

Left

4

X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3,4.4.4.4X-Forwarded-For: 10.10.10.10, 172.16.1.1,192.168.1.1

Client IP = 4.4.4.4Source IP=from layer-3 header

Enabled

True-Client-IP

Left

4

X-Forwarded-For:1.1.1,2.2.22,3.3.3.3,4.4.4.4

Client IP = Source IP = from layer-3 header

Enabled

True-Client-IP

Left

4

X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3,4.4.4.4True-Client-IP: 10.10.10.10, 172.16.1.1, 192.168.1.1

Client IP = 192.168.1.1Source IP=from layer-3 header

Not Configured (Default)

Left

3

X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4

Client IP = 3.3.3.3Source IP=from layer-3 header

X-Forwarded-For

Not Configured (Default)

3

X-Forwarded-For: 1.1.1,2.2.2.2,3.3.3.3,4.4.4.4

Client IP = 3.3.3.3Source IP=from layer-3 header

X-Forwarded-For

Left

2

X-Forwarded-For: 1.1.1,2-2,3.3.3.3,4.4.4.4

Client IP = Source IP = from layer-3header

X-Forwarded-For

Left

2

X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4

Client IP = 2.2.2.2Source IP=from layer-3 header

True-Client-IP

Left

2

X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4

Client IP = Source IP = from layer-3header