Re: Accessing TCP options data in 389ds Hello,

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Are you doing this on loadbalancer? You can use iptables with log target but if this is not sufficient, then some kind of sniffer like tcpdump might be helpful

12 lip 2013 23:27, "Rich Megginson" <rmeggins@xxxxxxxxxx> napisał(a):
On 07/12/2013 03:25 PM, Justin Kinney wrote:
Hello,

I'm investigating the possibility of logging client IP address where 389ds is deployed behind a load balancer. Today, we lose the true client IP address as the source IP is replaced with the load balancer's before the packet hits the 389 host. Has anybody solved this issue before?

For HTTP based services, this problem is trivial to overcome by grokking the X-Forwarded-For header from the request, but obviously this doesn't work with a service like LDAP deployed behind a TCP based load balancing instance.

One option is to use a direct server return (DSR) configuration with our load balancer and host, but that adds a lot of overhead to our environment in terms of configuration complexity, so I'd like to avoid that.

Another option is using an interesting capability of our load balancer (and I'm not sure how unique this feature is - I'd be interested in hearing if anyone else has run across it). It can insert the client IP address into the TCP stream, as arbitrary data in the options field of the TCP header. Existence of an address is also indicated by a magic number (which can uniquely identify the VIP on the load balancer).

What would it take to modify 389 to access the raw TCP header, parse the options field to get the true client IP, and then associate it with the request? Ideally, the client IP would be accessible in the access log.

I don't know - what are the TCP/IP/socket API calls that are required to get this data?


Thanks in advance,
Justin


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux