For Layer 4 - UDP and Layer 4 - TCP services, the actual client IP address is passed to the server in the TCP header. No further configuration is necessary for Layer 4 services.
For all other service types (i.e., when deployed in proxy mode), the default behavior is that the outgoing interface of the Barracuda Load Balancer ADC is used for connections with the real servers. In certain cases, you may want the Barracuda Load Balancer ADC to connect to the server using the client IP address. If you have servers on the back-end that need to access the actual client IP address, there are two ways to provide it to the servers:
- Client Impersonation
- X-Forwarded-For Header
Consider the following before deciding which option to configure:
| Client Impersonation | X-Forwarded-For Header |
|---|---|
Provides the client IP address as the source IP address of the request. Requires a networking change. Performance impact. | Provides the client IP address in the X-Forwarded-For header of every request. Requires a logging change. Layer 7 HTTP and HTTPS services only |
Configuring Client Impersonation
You can configure the Barracuda Load Balancer ADC to connect to a server using the client IP address. When the server responds to a message using that original client IP address, the traffic will go directly to the client. However, the client is expecting the response from the Barracuda Load Balancer ADC. In order for the return traffic to pass through the Barracuda Load Balancer ADC, you must change the default gateway of each real server in the pool to a custom virtual interface on the Barracuda Load Balancer ADC. The custom virtual interface should associate an externally-accessible IP address with the Internet-facing port.
To use the client IP address for connections:
- On the web interface of the Barracuda Load Balancer ADC:
- Enable the Client Impersonation option for each server. Edit the server (from the BASIC > Services page). On the Server Configuration page, set Client Impersonation to Yes.
- On the server:
- Change the default gateway to the corresponding custom virtual interface on the Barracuda Load Balancer ADC.
To Use the Client IP address from the X-Forwarded-For Header
By default, the client IP address is inserted by the Barracuda Load Balancer ADC in the X-Forwarded-For header when the request is forwarded to the back-end server.
To use the embedded IP address with Apache servers or with IIS 7 or IIS 7.5 servers, refer to the following articles:
- Logging Actual Client IP Address on the Apache Server
- Logging Actual Client IP Address In the IIS 7 and IIS 7.5 Server
How to Log Client IP Address when there is a Proxy Server between the Clients and the Barracuda Load Balancer ADC
If the Barracuda Load Balancer ADC or the client is deployed behind a proxy server, the client IP address of incoming requests is the address of the proxy server. You can see this address in the Client IP column on the BASIC > Access Logs page. To log the actual client IP address instead, edit the service, and specify the name of the header containing the actual client IP address that the proxy server inserts in each request.
To Configure the Header Name:
- Edit the service from the BASIC > Services page.
- Specify the header name in the Client IP Header box. Usually the header that stores the actual client IP address is either X-Forwarded-For or X-Client-IP.
When a request is received, the Barracuda Load Balancer ADC examines the specified header, retrieves the actual client IP address, and logs it.
For example, consider the client IP addresses 174.15.230.2 and 174.15.230.3, and proxy IP address 174.15.230.254. When the client sends a request, the proxy receives the request and stores the IP address of the client in the X-Forwarded-For or X-Client-IP header, and forwards the request to the Barracuda Load Balancer ADC. The Barracuda Load Balancer ADC extracts the client IP address from the specified header and logs it. It can also be configured to forward the address to the back-end server.
Scenario 1 - Clients behind Proxy Server
Scenario 2 - Barracuda Load Balancer ADC behind Proxy Server
