Forum Discussion
NimbostratusClient/Source IP is not passed to downstream application
I have VIP in F5 SNAT with x-forward enabled - but SSL is terminated at the backend. We have http profile is set none to make the client mutual authentication to work along with SSL.
How do I configure F5 to pass the client/source IP to downstream applications, currently it only sees the F5 Ip address.
7 Replies
Ryan_80361Cirrostratus
I guess it depends on how you've designed your environment, but at a minimum you need to allow the BIG-IP to be able to see "inside" the encrypted traffic. You can do this by either SSL offloading or SSL bridging, you can then enable a http profile with the insert x-forwarded-for option enabled.
spurushothaman_SSL bridging is deprecated because of the security vulnerability.- Ryan_80361What vulnerability, can you elaborate please?
RyannnnnnnnnAltocumulus
I guess it depends on how you've designed your environment, but at a minimum you need to allow the BIG-IP to be able to see "inside" the encrypted traffic. You can do this by either SSL offloading or SSL bridging, you can then enable a http profile with the insert x-forwarded-for option enabled.
- spurushothaman_SSL bridging is deprecated because of the security vulnerability.
- RyannnnnnnnnWhat vulnerability, can you elaborate please?
- Minn_62043
If SSL is terminated at the backend server, BIG-IP will not be able to see the HTTP headers inside the SSL traffic and cannot add the XFF header.
You can only use the routed-mode, where SNAT is removed and backend servers use BIG-IP as the gateway for the incoming traffic.
