Forum Discussion

Dennis_Andrade_'s avatar
Dennis_Andrade_
Icon for Nimbostratus rankNimbostratus
Feb 18, 2014

HTTP profile: x-forwarded-proto

I have a virtual server configured on a custom port 8080 with a client SSL profile attached to it. So the user will enter https://hostname.com:8080 to access the virtual server. So far so good. I hav...
application delivery
availability
design
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 18, 2014

The X-Forwarded-Proto header is typically used to tell an application that SSL is being offloaded by a proxy. This may be important when an application doesn't understand the SSL offloading and responds to the client with references to itself (redirects, document object references, etc.) with the URL that it "thinks" it is (usually a web server not listening on an SSL port). It's also important to note that not every application supports or understands this header, nor do all applications have a problem with something else doing the SSL offloading. That said, it's very likely that your application DOES understand this header, but is blindly responding with references to itself by simply changing http:// to https://. There are a few ways to get around this:

 

  1. The most common approach, and probably the easiest, is simply to use a standard port for HTTPS traffic (443). The https:// references from the server will then be correct.

     

  2. You could apply a STREAM profile in an iRule, attached to the VIP, to replace any instance of https://hostname with https://hostname:8080 in the web server's responses.