For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lorens_170609's avatar
Lorens_170609
Icon for Nimbostratus rankNimbostratus
Sep 17, 2014

Add X-Forwarded-For to Proxy HTTP protocol

Hi,

I have an f5 cluster in front of a squid proxy cluster, and I want my squids to get the X-Forwarded-For header, which is not the case today.

My definition is as follows

ltm virtual /internal/webproxylb {
    destination /internal/10.1.1.80:3128
    ip-protocol tcp
    mask 255.255.255.255
    pool /internal/squidproxies
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vlans {
        /internal/vlan5
    }
    vlans-enabled
}

I understand that as long as I am using FastL4 I cannot add X-Forwarded-For, but if I do try to remove it (I suspect it has been added to enhance performance, so I'll have to take some care), will I be able to add X-Forwarded-For? That is, will the F5 recognize the

GET http://whatever.com/path HTTP/1.1
Host: whatever.com

as an HTTP request that it can add an X-Forwarded-For header to without changing anything else at all? All the examples I have found seem to relate to reverse proxying where the protocol is the plain

GET /path HTTP/1.1
Host: whatever.com
application delivery
LTM
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 17, 2014

    In order to (easily) insert an HTTP header into the ingress flow, you'd need to apply an HTTP profile to your standard VIP configuration. You can also simply enable XFF insertion directly from within the HTTP profile. In lieu of actually adding an HTTP profile, you'd need an iRule that parses the raw layer 4 TCP data.