For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doran_Lum_13484's avatar
Doran_Lum_13484
Icon for Nimbostratus rankNimbostratus
Sep 04, 2017

X-Forwarded for https

Hi all, we have an application on our server which can't determine if the request is https or http coming from F5. X-Forwarded option have been enabled but the issue still persist. Should   I hav...
application delivery
BIG-IP
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 05, 2017

Hi Doran,

you could streamline your iRule by moving the protocol enumeration into the 

CLIENT_ACCEPTED
event (triggered only once every TCP connection), store the enumeration result into a 
$variable
and then reference the 
$variable
on every subsequent 
HTTP_REQUEST
event. This approach will greatly reduce the overhead for Keep-Alive-Connections.

when CLIENT_ACCEPTED {
    if { [PROFILE::exists clientssl] } then {
        set client_protocol "https"
    } else {
        set client_protocol "http"
    }
}
when HTTP_REQUEST {
    HTTP::header remove "X-Forwarded-Proto"
    HTTP::header insert "X-Forwarded-Proto" $client_protocol
    HTTP::header remove "X-Forwarded-Port"
    HTTP::header insert "X-Forwarded-Port" [TCP::local_port]
}

Note: In addition you should review your application if it would introduce certain risks if the client sends handcrafted X-Forwarded-Proto and X-Forwarded-Port headers to your application. If this scenario introduce some risks or if you can figure out the assosiated risks, then make sure to 

[HTTP::header remove]
any existing 
X-Forwarded-Proto
and 
X-Forwarded-Port
headers before 
[HTTP::header insert]
your verified values...

Cheers, Kai