Support Questions
Find answers, ask questions, and share your expertise

Preserve Source client IP address when use Load Balancer to connect to CM console

Explorer

Hello All,

 

We are connecting to CM console via F5 Load Balancer (Reverse Proxy). We are trying to enable X-Forwarded-For (XFF) in HTTP header, to get actual source client IP address from the CM Audits log.

 

How can I enable CM server to read XFF HTTP header for the source client IP address instead of reading source IP address from layer 3?

 

Thank you in advance.

3 REPLIES 3

Expert Contributor

Hello @ram76 ,

 

You can configure Hue to use the XFF header:

[desktop]
use_x_forwarded_host=true

See hue.ini reference:

https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini

If not already done, besides using an external load-balancer (like F5 - to let the end users remember only a single Hue login URL) please consider to add "Hue Load Balaner" role in CM > Hue service  (which sets up an Apache httpd) to serve the static contents.

See the following for more:

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/hue_use_add_lb.html#hue_use_add_lb 

Hope this helps. Best regards, Miklos

Explorer

Hi @mszurap ,

 

Thank you for the solution, I guess this would help to audit HUE access, though I was I looking for CM Audits.

 

For HUE I assume I need to add the parameter you mentioned in the following HUE configuration item.

Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

 

Regarding to the preserve source client IP when login into CM console. I did log a ticket Cloudera Support and apparently there is JIRA OPSAPS-41615 was raised for this enhancement for CM server able to read XFF header. I don't have the access to the JIRA. I am not sure if you do.

 

Thanks again for the solution for HUE. I will try to test it my environment and I will update you.

 

Kind regards,

Rama.

Expert Contributor

Hi Rama, yes, you can configure that in the "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini".

OPSAPS-41615 is still open, in the future you can ask the status from any of your account team contacts. If you don't know who are those contacts, please ask/clarify that through the already open support case.

Best regards,  Miklos

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.