Forum Discussion
Pass Source IP to server?
Yeah.. you can get it through custom http profile with enable x-forward options.
- Michael_OzorowsMar 06, 2017
Nimbostratus
Thank you Jhaas this worked!!! :) Only thing I had to do was do port 80 or 8080 with x-forward; its not working with HTTPS
I think for HTTPS I just need an SSL Cert for SSL Offload on the F5 is that correct?
- Stephane_Viau_1Mar 06, 2017
Nimbostratus
Michael, your have 3 options :
First option is you do not enable a HTTP profile on your Virtual Server. In this case the TLS handshake will have to be done by your application server. There is 0 offloading done in this case and your SSL certificate needs to be on your app server :
Client --> Passthrough Port 443 --> Big-IP --> Passthrough Port 443 or 8443 --> App Server
Second option is you enable a HTTP profile and also a SSL certificate (through a client-ssl profile), but pass on the requests to the app server unencrypted. This is probably the scenario that you are looking for because it provides offloading for your server :
Client --> HTTPS Port 443 --> F5 Big-IP --> HTTP Port 8080 --> App Server
This option offloads the server as the encryption terminates at the Big-IP. One important thing to know is that this might cause your app to misbehave because your app might want users to come in via HTTPS but it will see unencrypted connections. And then it will redirect users to . And this is going to create an infinite loop. In this case you might need to pass on not only X-Forwarded-For, but also X-Forwarded-Proto to tell your application that the users has connected via https and not http.
Third option is you use encryption all the way, in which case you need a HTTP, client-ssl profile and server-ssl profile. You will need a SSL cert on both Big-IP and app server :
Client --> HTTPS port 443 --> Big-IP --> HTTPS Port 443 or 8443 --> App Server
This scenario does not provide offloading for your server but provide an additional level of security.
- Samir_Jha_52506Mar 07, 2017
Noctilucent
@Michael, you will have to attach valid SSL cert for https vip to get client ip. Rest configuration is same like http vip(http profile with x-forward enable).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com