Forum Discussion
SNAT / X-FORWARD-FOR breaks HTTPS connection
We are trying to create an iAPP with SSL passthrough and X-FORWARDED set but when we enable SNAT for the X-FORWARDED-FOR (HTTP profile or iRule X-FORWARDED-FOR) the connection seems to stop passing through to our backend IIS pool (nothing logged in the IIS logs).
We have looked through a few guides but it feels like we are missing something or there is an underlying setup flaw with our F5.
Edge / Chrome give the following err_connection_reset
It would seem the minute we enable either; a HTTP Profile, an SSL Profile or enable SNAT the site stops working
I'm sure you will need more info from me, as I'm relatively new to F5's let me know what you need and I'll post the details in
SSL Passthrough is FastL4 setup.
SSL Offload or SSL Offload and Re-Encrypt or in other terms, SSL Bridging are Standard VS setups.
SSL Passthrough cannot alter http data. You cannot perform XFF with fastl4 setup.
I would request you to follow this article to understand more about HTTP traffic.
- Peter_McCaldonNimbostratus
Of course! So we have now corrected the setup to be SSL bridging and the site loads, however the X-FORWARDED-FOR still doesnt seem to work. We have run a trace with wireshark and enabled custom logging in IIS but we cannot see the X_FORWARDED-FOR header info.
We have checked our setup against https://support.f5.com/csp/article/K4816.
Any thoughts?
EDIT: I had missed enabling Custon Logging in IIS. this works as expected now
SSL Passthrough is FastL4 setup.
SSL Offload or SSL Offload and Re-Encrypt or in other terms, SSL Bridging are Standard VS setups.
SSL Passthrough cannot alter http data. You cannot perform XFF with fastl4 setup.
I would request you to follow this article to understand more about HTTP traffic.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com