For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dave_Clark_2114's avatar
Dave_Clark_2114
Icon for Nimbostratus rankNimbostratus
Aug 01, 2014

Issue with HTTP profile X-Forwarder-For and AFM

Hopefully it's just an over site on my part, but here it is in a nutshell. Developer wants to see source client-ip at the web server level and traffic is being sent through several f5 platforms.

 

web server is seeing the f5 self-ip as the client source-ip with no http profile w/x-forwarder-for enabled web server is seeing a inline firewall as the client source-ip with http profile w/x-forwarder-for enabled

 

if the http profile is enabled on at the AFM level w/x-forwarding-for the page stops rendering

 

1st AFM/LTM- FW Rule to allow 443 and block all other traffic 2nd ASM/LTM- no policy applied for now 3rd parameter fw 4th LTM

 

ISAPI Filter provided from F5 has been placed on the web server as recommended.

 

any help on this is much appreciated.

 

advanced firewall manager
availability
design

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 01, 2014

    Hi Dave,

     

    Is this encrypted HTTPS traffic? If so and you want BIG-IP to insert an XFF header, you'll need to import a valid server cert and key, create a client SSL profile and then add both the client SSL and HTTP profiles to the virtual server. This allows BIG-IP to decrypt the SSL and modify the HTTP headers to insert the XFF header.

     

    If this doesn't work for you, please reply with your BIG-IP version, virtual server, client SSL profile and HTTP profile config. You can copy these from the bigip.conf or list the config using tmsh.

     

    Aaron

     

  • Dave_Clark_2114's avatar
    Dave_Clark_2114
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2014

    Pretty simple resolution like hoolio suggested here are the config steps I needed.

     

    use case: customer wanted external clients client source ip for application functions and also wanted to have source ip of internal clients as well

     

    created http profile with insert-X-forward-For and Accept XFF with the Virtual Server using client side cert to decrypt the 443 traffic on client ssl profile and default serverssl for server side ssl profile on the AFM/LTM F5

     

    On the ASM/LTM F5 I'm simply using LTM at the moment but cert is required for client side if leveraging ASM feature to allow packet inspection.

     

    Last hop :) internal network includes http profile with insert-X-forward-For and Accept XFF to allow internal clients to pass client source ip to that particular f5 virtual server client ssl profile cert to decrypt traffic and default server side sslprofile cert.

     

    Here is an iRule monitor that assisted me in seeing the X-forward -For traffic when testing.

     

    when HTTP_REQUEST { set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]" log local0. "=============================================" log local0. "$LogString (request)" foreach aHeader [HTTP::header names] { log local0. "$aHeader: [HTTP::header value $aHeader]" } log local0. "=============================================" } when HTTP_RESPONSE { log local0. "=============================================" log local0. "$LogString (response) - status: [HTTP::status]" foreach aHeader [HTTP::header names] { log local0. "$aHeader: [HTTP::header value $aHeader]" } log local0. "============================================="

     

    }