For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Oct 29, 2013

http_x_forwarded_for setting query

Hi,

 

We wanted to enable http_x_forwarded_for feauture in our HTTP as well as HTTPS Virtual-server having same VIP.

 

  1. Whenever someone hits HTTP URL, it should redirect to HTTPS.
  2. So, last time we applied only this to HTTP Profile( BUT Application understands only HTTPS not HTTP), not to https profile, so it didnt gave desired output, so now planning to enable http_x_forwarded_for feauture in this HTTPS profile too.

Query: Into this we are enabling 3 parameters:(http_x_forwarded_for for HTTPS profile) 1.Request Header Insert : ORIGINAL-PROTOCOL:HTTPS( kindly suggest whether this is correct or good). 2.Redirect Rewrite : all 3.Insert X-Forwarded-For : Enabled

 

3.The featured which we applied to HTTP(http_x_forwarded_for for HTTPS profile): , can we have the same settings: 1.Request Header Insert : ORIGINAL-PROTOCOL:HTTPS( kindly suggest whether this is correct or good). 2.Redirect Rewrite : all 3.Insert X-Forwarded-For : Enabled

 

Thanks and Regards Parveez

 

3 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    Oct 29, 2013

    So if I understand you have two VIPs one HTTP and one HTTPS. The HTTP VIP should redirect all traffic to HTTPS. Both the HTTP and HTTPS VIPs will need to have a HTTP profile for them to understand the HTTP protocol. Now if the above is true you should not need to add the headers to the HTTP VIP but you should add the headers on the HTTPS VIP. If you add them to the HTTP VIP it should not do anything as when the client makes the request again to the HTTPS VIP the headers will not be there and the LTM will have to add them again to the server.

     

    Now if you have add the header to tell the server that there is a SSL offload device you should not have to rewrite the redirects. At this point the server should be told to send back HTTPS links when it see the HTTPS header.

     

    If I am missing anything please let me know. Thanks

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2013

    Ok Richard thanks.

     

    So, if I understand it currently, we have to enanble HTTP_X_FORWARDED_FOR feature only to HTTPS Profile not to HTTPS profile correct, as HTTP is just to redirect it to HTTPS and secondly as the application understands only to HTTPS.

     

    And also wanted to specify one more thing: Pool a is for Web traffic whereas Pool b is for clock traffic and to divide the same we are applying the below irule:

     

    when HTTP_REQUEST { check for pages needing to not redirect to https switch -glob [string tolower [HTTP::uri]] { "/getxsl.asp" { pool a} "/RadSOMsgReceiverTri.asp" { pool a } "/RadSOFileTransfer.asp" { pool a } "/Reader.sod" { pool a } "/clockserver.asp" { pool b } } } }

     

    So, do I need to manually call Pool b also into the HTTPS profile as this is related to Clock traffic.

     

    What if I call this Irule alongwith Pool b into the Virtual-server. Which one it will take or get preference: Irule or manual Pool b.

     

    Thanks and Regards Parveez

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2013

    Hi ,

     

    Kindly guide above query..

     

    Also, as we implement the http_x_forwarded_for feauture in HTTPS Virtual-Server, planning to enable below 3 features in http_x_forwarded_for profile: Kindly assist in reviewing:

     

    we are enabling 3 parameters:(http_x_forwarded_for for HTTPS profile) 1.Request Header Insert : ORIGINAL-PROTOCOL:HTTPS( kindly suggest whether this is correct or good). 2.Redirect Rewrite : all 3.Insert X-Forwarded-For : Enabled

     

    Thanks and Regards Parveez