Anonymous_User Absent Member.
Absent Member.
400 views

X-forwarded-for and Apache on 3.2, how?


We are rolling out new NAM boxes fronted by a somewhat complicated A10
load balancer deployment. This involved LBs and NAM distributed in
geographically different locations. To make a long story short, we are
NEED the true client IP available on both the NAM IDP and AG, and we
also need those IPs logged via the NAM audit logging capabilities (to a
sentinel box). We've tried configuring everything without NAT, and
while yes it's theoretically doable, we've been having no luck getting
it to work right due to our network architecture, so now we're going
back to the drawing board and exploring NAT with X-forwarded-for.

Out of the box, NAM doesn't pass X-forwarded-for to the audit servers
(so the documentation says), and this is a key feature we need. I've
also had issues in the past using X-forwarded-for on AG policies with
"Authorization" policies (things randomly not working as expected--I
think it's a bug). So what I really need is for both the IDP and AG to
convert remote header IP to client IP.

The IDP documentation mentions this exact feature for remote header IP
by enabling a Tomcat module that replaces client IP with
X-forwarded-for. I tested this and it works perfectly, however I can't
find any such work around for the AG. I tried the same setting on the
AG Tomcat server, but it's not working. My guess is since 3.2
introduced Apache in front of Tomcat, this is not going to work. I'm
thinking that the following module would be necessary to make that work
properly: http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html

However, the customized Apache2 server that comes with the AG does not
seem to have this module built in.

Any other thoughts out there?

Thanks.


--
adamdn01
------------------------------------------------------------------------
adamdn01's Profile: https://forums.netiq.com/member.php?userid=2226
View this thread: https://forums.netiq.com/showthread.php?t=50298

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: X-forwarded-for and Apache on 3.2, how?

adamdn01,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.netiq.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.netiq.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.netiq.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team
http://forums.netiq.com


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.