NSX Load Balancer - One Armed Deployment and Original Client IP
Hi,
I post this just in case someone came across something like this, I struggled a lot to get this to work.
So I had to implement NSX Load Balancing on existing Distributed Port Groups, which meant existing physical gateways and firewalls, so the deployment option ended up being One Armed instead of Inline (I don´t think there´s a way to make Inline mode play nice with existing physicals gateways/firewalls).
When in One Armed deployment mode I think one is supposed to use the :
-
Option in the Application Profile, I´m using NSX 6.3.1 and that option did not carried the Original Client IP address no matter what, the other option offered by NSX load Balancing is the Transparent Mode of the Pool, but it´s my understanding that this option only works when in Inline mode, so I was lost without a way to implement NSX Load Balancing since almost no deployment would consider it an option to lose the Original Client IP address.
What I ended up finding is that since NSX Load Balancing is based on HAProxy, I could add an Application Rule that added that information, and it worked!!
These are the rules that I added :
# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
http-request add-header X-CLIENT-IP %[src]
Hope someone find this useful, I sure spend a lot of time looking for a way to make the X-Forwarded-For work on NSX and it was a complete waste of time.
Just to give an update in case anyone comes across this.
Yesterday an NSX Systems Engineer told me that maybe what was happening is that I had Acceleration Enabled, which meant that I was using the L4 Engine instead of the L7 Engine which is the one that handles the headers.
I did a test removing the Application Rules described below, check that the Client IP Address was not being passed on to the Web Servers, then went and disabled Acceleration under Global Configuration of the Edge Gateway and then check that now the Client IP Address were in fact being passed on to the Web Servers.
So that was that...maybe some rule in the GUI would be nice to avoid this issue "If Acceleration Enabled then let´s gray out the Insert X-Forwarded-For HTTP header setting"!!
Just to give an update in case anyone comes across this.
Yesterday an NSX Systems Engineer told me that maybe what was happening is that I had Acceleration Enabled, which meant that I was using the L4 Engine instead of the L7 Engine which is the one that handles the headers.
I did a test removing the Application Rules described below, check that the Client IP Address was not being passed on to the Web Servers, then went and disabled Acceleration under Global Configuration of the Edge Gateway and then check that now the Client IP Address were in fact being passed on to the Web Servers.
So that was that...maybe some rule in the GUI would be nice to avoid this issue "If Acceleration Enabled then let´s gray out the Insert X-Forwarded-For HTTP header setting"!!
