F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 24, 2014

    First, a minor typo:

    when HTTP_REQUEST { 
    HTTP::header insert "X-Forwarded-Proto" "https"
}

    Second, it depends. At a minimum it will insert an X-Forwarded-Proto header with the "https" value into every HTTP request going to the server. No harm there. What the server does with it is the question though. In a environment where you have a load balancer/proxy server offloading the SSL in front of an application, which is now NOT doing SSL, there is a chance that some applications won't understand this. For example, if the application doesn't understand that it's behind a proxy, and that it's listening on HTTP port 80, it may format all references (redirects, document objects, etc.) with absolute URLs that start with "http://" (instead of https://). When the browser gets this reference and tries to access it, it'll fail because there's no port 80 VIP listening for this service. Granted, it's rare, but it does happen. One option that some applications support is the above X-Forwarded-Proto header. If a proxy sends this header to the server, then it knows that external users access it via https://, and will format URLs accordingly. That of course only applies if the application cares about the X-Forwarded-Proto header, which in my experience is few. Another option is to simply rewrite those http:// references as they pass through the proxy. LTM has a function called a STREAM profile that does just that.