We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

How to Make the Client IP Address Available to the Back-end Server

  • Last updated on

For Layer 4 - UDP and Layer 4 - TCP services, the actual client IP address is passed to the server in the TCP header. No further configuration is necessary for Layer 4 services.

For all other service types (i.e., when deployed in proxy mode), the default behavior is that the outgoing interface of the Barracuda Load Balancer ADC is used for connections with the real servers. In certain cases, you may want the Barracuda Load Balancer ADC  to connect to the server using the client IP address. If you have servers on the back-end that need to access the actual client IP address, there are two ways to provide it to the servers:

  • Client Impersonation
  • X-Forwarded-For Header

Consider the following before deciding which option to configure:

Client ImpersonationX-Forwarded-For Header

Provides the client IP address as the source IP address of the request.

Requires a networking change.

Performance impact.

Provides the client IP address in the X-Forwarded-For header of every request.

Requires a logging change.

Layer 7 HTTP and HTTPS services only

Configuring Client Impersonation

You can configure the Barracuda Load Balancer ADC to connect to a server using the client IP address. When the server responds to a message using that original client IP address, the traffic will go directly to the client. However, the client is expecting the response from the Barracuda Load Balancer ADC. In order for the return traffic to pass through the Barracuda Load Balancer ADC, you must change the default gateway of each real server in the pool to a custom virtual interface on the Barracuda Load Balancer ADC. The custom virtual interface should associate an externally-accessible IP address with the Internet-facing port.

To use the client IP address for connections:

  1. On the web interface of the Barracuda Load Balancer ADC:
    • Enable the Client Impersonation option for each server. Edit the server (from the BASIC > Services page). On the Server Configuration page, set Client Impersonation to Yes.
  2. On the server:
    • Change the default gateway to the corresponding custom virtual interface on the Barracuda Load Balancer ADC.

To Use the Client IP address from the X-Forwarded-For Header

By default, the client IP address is inserted by the Barracuda Load Balancer ADC in the X-Forwarded-For header  when the request is forwarded to the back-end server. 

To use the embedded IP address with Apache servers or with IIS 7 or IIS 7.5 servers, refer to the following articles:

How to Log Client IP Address when there is a Proxy Server between the Clients and the Barracuda Load Balancer ADC

If the Barracuda Load Balancer ADC or the client is deployed behind a proxy server, the client IP address of incoming requests is the address of the proxy server. You can see this address in the Client IP column on the BASIC > Access Logs page. To log the actual client IP address instead, edit the service, and specify the name of the header containing the actual client IP address that the proxy server inserts in each request. 

To Configure the Header Name:

  1. Edit the service from the BASIC > Services page.
  2. Specify the header name in the Client IP Header box. Usually the header that stores the actual client IP address is either X-Forwarded-For or X-Client-IP.

When a request is received, the Barracuda Load Balancer ADC examines the specified header, retrieves the actual client IP address, and logs it.

For example, consider the client IP addresses  174.15.230.2 and 174.15.230.3, and proxy IP address 174.15.230.254. When the client sends a request, the proxy receives the request and stores the IP address of the client in the X-Forwarded-For or X-Client-IP header, and forwards the request to the Barracuda Load Balancer ADC. The Barracuda Load Balancer ADC extracts the client IP address from the specified header and logs it. It can also be configured to forward the address to the back-end server.

Scenario 1 - Clients behind Proxy Server

x_forwarded_for.jpg

 

Scenario 2 - Barracuda Load Balancer ADC behind Proxy Server

x_forwarded_for_1.jpg

 

Last updated on