[389-users] Accessing TCP options data in 389ds Hello,

[Rich Megginson]

On 07/12/2013 03:25 PM, Justin Kinney wrote:
> Hello,
>
> I'm investigating the possibility of logging client IP address where 
> 389ds is deployed behind a load balancer. Today, we lose the true 
> client IP address as the source IP is replaced with the load 
> balancer's before the packet hits the 389 host. Has anybody solved 
> this issue before?
>
> For HTTP based services, this problem is trivial to overcome by 
> grokking the X-Forwarded-For header from the request, but obviously 
> this doesn't work with a service like LDAP deployed behind a TCP based 
> load balancing instance.
>
> One option is to use a direct server return (DSR) configuration with 
> our load balancer and host, but that adds a lot of overhead to our 
> environment in terms of configuration complexity, so I'd like to avoid 
> that.
>
> Another option is using an interesting capability of our load balancer 
> (and I'm not sure how unique this feature is - I'd be interested in 
> hearing if anyone else has run across it). It can insert the client IP 
> address into the TCP stream, as arbitrary data in the options field of 
> the TCP header. Existence of an address is also indicated by a magic 
> number (which can uniquely identify the VIP on the load balancer).
>
> What would it take to modify 389 to access the raw TCP header, parse 
> the options field to get the true client IP, and then associate it 
> with the request? Ideally, the client IP would be accessible in the 
> access log.

I don't know - what are the TCP/IP/socket API calls that are required to 
get this data?

>
> Thanks in advance,
> Justin
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130712/2ca408a2/attachment.html>