Friday, 10 June 2011

Client IP Filtering in Weblogic and Apache through Load Balancer (F5 Big IP LTM)


Client IP Filtering in Web servers through Load Balancer


1  IP Web Filtration in Apache HTTP Web server
2  IP Web Filtration in Oracle Web Center  Suite on Windows Server 2003. 7
3  IP Web Filtration in Oracle Bea Weblogic on Linux




1       IP Web Filtration in Apache HTTP Web server

Following were the key steps used to configure filtration of client IP in access logs of apache HTTP server:

1.1.    Installing  Apache on Linux ( in our case its Ubuntu 10.10)
1.2.   Configuration of X-Forwarded-For in Apache configuration file
1.3.   Creating HTTP profile in Load balancer and enabling X-Forwarded-For
1.4.   Verifying the logs

1.1  – Installing  Apache on Linux ( in our case its Ubuntu 10.10)
#apt-get install apache2

1.2  Configuration of X-Forwarded-For in Apache configuration file
# nano /etc/apache2/apache2.conf
Now replace the %h variable with {X-Forwarded-For}i as shown below in apache2.conf file

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
1.3  Creating HTTP profile in Load balancer and enabling X-Forwarded-For
In our case the load balancer is F5 BIG-IP LTM 3600-4G. Following images will depict the process

1.1  Verifying the logs



# tail -f /var/log/apache2/access.log







2. IP Web Filtration in Oracle Web Center  Suite on Windows Server 2003


Following were the key steps used to configure filtration of client IP in access logs of apache HTTP server:

1.1.    Installing  Oracle Web Center  Suite on Windows Server 2003
1.2.   Configuration of X-Forwarded-For in Apache for web center suite configuration file
1.3.   Creating HTTP profile in Load balancer and enabling X-Forwarded-For
1.4.   Verifying logs

1.1 Installing  Oracle Web Center  Suite on Windows Server 2003
Please see the installation guide in oracle website
1.2 Configuration of X-Forwarded-For in Apache for web center suite configuration file
Oracle Web Center Suite server is used for hosting of company’s website (http://www.sngpl.com.pk). It works with apache as Http Server. So in order to monitor client ip in server logs for this environment, we had to update and configure Apache Http Server. Steps for updating and configuration of Apache are as follows
Step I: Update the required modules of Apache Http Server
For this purpose, following apache modules were required
·         mod_headers.so
·         mod_proxy.so
·         mod_proxy_connect.so
·         mod_proxy_http.so
Download these modules from Apache’s website (http://projects.apache.org/projects/http_server.html), and copy to modules directory in Apache Http Server.
Step II: Edit the configuration file (httpd.conf)
Open httpd.conf file in the conf directory of Apache Http Server, and add the following

AddModule mod_headers.c
AddModule mod_proxy.c
AddModule mod_proxy_http.c
AddModule mod_proxy_connect.c

# Log the originating ip if use a proxy
SetEnvIfNoCase X-Forwarded-For "." from_proxy=1

CustomLog C:\product\10.1.3.2.0\OracleAS_2\Apache\Apache\logs\apache2\without-proxy.log combined env=!from_proxy
CustomLog C:\product\10.1.3.2.0\OracleAS_2\Apache\Apache\logs\apache2\with-proxy-access.log      combined_forwarded env=from_proxy


Save the file and restart the server. Server log should now reflect the actual client IP instead of firewall IP.

1.3 Creating HTTP profile in Load balancer and enabling X-Forwarded-For
In our case the load balancer is F5 BIG-IP LTM 3600-4G. Following images will depict the process







1.1 Verifying the logs

C:\product\10.1.3.2.0\OracleAS_2\Apache\Apache\logs





3. IP Web Filtration in Oracle Bea Weblogic on Linux


1.1  Installing  Oracle Weblogic server  on linux

1.2  Enabling Weblogic Plugin
1.3  Creating HTTP profile in Load balancer and enabling WL-Proxy-Client-IP: [IP::client_addr]
1.4  Verifying logs

1.1            Installing Oracle Weblogic server  on linux (Ubuntu 10.10)
For configuration to be as closer as to the actual production environment, we setup weblogic on Linux on a VM machine. Following were the steps:
                   I.            Downloaded and installed Java 6 on Linux.
                II.            Setup PATH and JAVA_HOME environment variables for java.
             III.            Installing weblogic server with .jar installation package.
1.2  Enable Weblogic Plugin (see procedure and images below)
a.       Login to the weblogic admin console
b.      In the main panel  >> Domain Structure >>  wl_server >> Web Applications
c.       Check the check box with label “WebLogic Plugin Enabled ”
d.      Click Activate Changes, Save and Restart the server for changes to take effect.








1.3  Creating HTTP profile in Load balancer and enabling WL-Proxy-Client-IP: [IP::client_addr]




1.4  Verifying the logs

#cd /root/bea/wlserver_10.0/samples/domains/wl_server/servers/examplesServer/logs/
#tail -f access.log

1 comment:

  1. Thanks for putting this information on the internet. We were trying to get the client ip address in the access log using Weblogic and Radware appDirector hardware load balancing switch. Although not the same as the F5 Big-IP switch, the concept and implementation was the same. Using this information, now our access logs contain the correct client IP address.

    Cheers,
    John Hickey

    ReplyDelete