For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

10 Replies

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Sep 29, 2015

    No, there should be no impact to your application other than the addition of the new X-Forwarded-For header in the request data that it receives. Just simply modify your HTTP profile to enable the X-Forwarded-For option and you should be all set.

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2015

    Hi Josh and Samir, for your advice. So either using irule or modify the HTTP profile "Insert X-Forwarded-For" enabled is sufficient, and will not cause downtime. How about X-Forwarded-Proto? Please advise how can this be configured and also no downtime required?

     

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Sep 29, 2015

    I assume you are doing SSL termination(offloading) at the BigIP and want a header to send to your servers to indicate the original request was HTTPS. What we do for this is use a policy on the HTTPS virtual server to insert this header. Attaching the policy will cause no downtime.

    ltm policy X-Forwarded-Proto {
    requires { client-ssl http }
    rules {
        X-Forwarded-Proto_insert {
            actions {
                0 {
                    http-header
                    insert
                    name X-Forwarded-Proto
                    value https
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}
  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2015

    Thanks Brad for your advice. Please advise is it necessary to implement an irule for both x-forwarded-for an x-forwarded-proto, or either 1 is enough?

     

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 01, 2015

    Well you can do it with the http profile option with the policy I mentioned above(will perform better as they are built in features) or you can do it with a single iRule that will insert both.

    when HTTP_REQUEST {
    HTTP::header insert "X-Forwarded-For" [IP::client_addr]
    if {[PROFILE::exists clientssl] == 1}{
        HTTP::header insert "X-Forwarded-Proto" "https"
    }
}
  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2015

    Akamai uses True-Client-IP header to forward the website visitor IP. if we already enabled X-Forwarded-For, does this mean that F5 LTM will be able to capture and track Akamai’s client IP information?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 19, 2015
      If Akamai uses a different header the F5 or your back end server can track it. If you want the F5 to translate if to X-Forwarded-For you can just specify the header in the "XFF Alternative Names" property in the HTTP profile.
  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2015

    If we did not specify the header in the "XFF Alternative Names" property in the HTTP profile, what will F5 do when it receive this Akamai True-Client-IP header?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 19, 2015
      It won't do anything with the header. It will be un-affected and be sent as part of the request to the pool member.