For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tnolet_112676's avatar
tnolet_112676
Icon for Nimbostratus rankNimbostratus
Mar 25, 2008

Does the X-Forwarded-For option in the profiles work with HTTPS?

Hi,

 

 

I'm currently the de-facto admin for our 1500-series Big-IP. I'm setting up the machine to insert the X-forwarded-For data into the headers of all HTTP traffic so that we can log original client IP's in our Apachce log. The problem is all our traffic is SSL encrypted on Apache, not on the BIG-IP. Enabling X-Forwarded-For in the HTTP profile and assigning it to the Virtual Server chokes all traffic.

 

 

Am I right to say that the BIG-IP cannot insert data into the encrypted HTTPS stream? Do I need to offload SSL encryption to the BIG-IP for this to work.

 

AKA....does the X-Forwarded-For option in the profiles work with HTTPS?

 

 

I must say the F5 documentation is very unclear on this aspect. It doesn't even mention this, I think, pretty common situation.

 

 

Thanks Y'all!
application delivery
dev
devops
iRules

3 Replies

  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Mar 25, 2008
    Hi,

     

     

    To update an HTTP request with the X-Forwarded-For header you'll need to use an iRule or configure it in the HTTP proile (easier)

     

     

    If you need to do it for HTTPS Stream, you need to make the BIGIP be the SSL termination i.e use a clientssl profile on your vs (and a server ssl profile to maintain HTTPS between the BIGIP and the server if you wish).

     

     

    Then you'll be able to assign to this vs your http profile and it should work

     

     

    HTH
  • tnolet_112676's avatar
    tnolet_112676
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2008
    Hi,

     

     

    Thanks for the quick reply. You completely confirmed my suspicion. I hoped it was going to be quick change, but it seems that we are going to have to let the BIG-IP do some SSL encryption/decryption just for this purpose. I will of course use the simpe profile checkbox.

     

     

    I was just checking to make sure there wasn't another way, cause this has quite a major impact on the online banking site were running.

     

     

    Tim
  • Mark_Curole's avatar
    Mark_Curole
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2008
    You need to look closely at the config manual for a client SSL profile. The simple profile just will not work.

     

     

    First, you are going to have to either copy you public and private keys from you Apache config to the 1500s or you going to have to generate a new certificate and get it signed.

     

     

    Then you will need to create a custom SSL profile the reference your public and private keys. Also, you will want to look closely at the Cipher configuration on the profile since I am assuming as a bank you would not want to do < 128 bit encryption.

     

     

    https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html