Forum Discussion
NimbostratusX-Forwarded for https
Hi all, we have an application on our server which can't determine if the request is https or http coming from F5. X-Forwarded option have been enabled but the issue still persist. Should
I have try with the irule below for X-Forwarded-Proto but somehow I got an error.
I have also try to insert "https" for Request Header Insert but the issue still persist.
2 Replies
oscarnet_69487HI
you miss
in end}when HTTP_REQUEST { if { [ssl::mode] == 1 } { if {!( [HTTP::header "x-Forwarded-Proto" ] eq "https") }{ HTTP::header insert x-Forwarded-Proto "https" } if {!( [HTTP::header exists "x-Forwarded-Port" ]) }{ HTTP::header insert x-Forwarded-Port [TCP::local_port] } } }have a good day!!!
- Kai_Wilke
MVP
Hi Doran,
you could streamline your iRule by moving the protocol enumeration into the
event (triggered only once every TCP connection), store the enumeration result into aCLIENT_ACCEPTED
and then reference the$variable
on every subsequent$variable
event. This approach will greatly reduce the overhead for Keep-Alive-Connections.HTTP_REQUESTwhen CLIENT_ACCEPTED { if { [PROFILE::exists clientssl] } then { set client_protocol "https" } else { set client_protocol "http" } } when HTTP_REQUEST { HTTP::header remove "X-Forwarded-Proto" HTTP::header insert "X-Forwarded-Proto" $client_protocol HTTP::header remove "X-Forwarded-Port" HTTP::header insert "X-Forwarded-Port" [TCP::local_port] }Note: In addition you should review your application if it would introduce certain risks if the client sends handcrafted X-Forwarded-Proto and X-Forwarded-Port headers to your application. If this scenario introduce some risks or if you can figure out the assosiated risks, then make sure to
any existing[HTTP::header remove]
andX-Forwarded-Proto
headers beforeX-Forwarded-Port
your verified values...[HTTP::header insert]Cheers, Kai
