For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Jul 28, 2012

x-forwarded-for, ok with HTTPS?

Hi,

 

 

Can you use the X-Forwarded-For option if the virtual server is a HTTPS server doing SSL

 

offload?

 

 

The virtual server is configured on port 443, with a client SSL cert. The pool members are also on port 443. I have enabled the X-Forwarded-For option in a custom HTTP profile and assigned that to the VS, however the customer says its not working correctly.

 

 

 

config
design

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 29, 2012
    You can if you decrypt the SSL session on the BigIP (SSL Offload) because the BigIP needs the decrypted stream to be able to add content to the headers.

     

     

    You then have the option to re-encrypt the traffic between the BigIP and the poolmember itself which you;ll require as your poolmembers are doing SSL as well.

     

     

    H
  • Luca_55898's avatar
    Luca_55898
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2012
    The pool members are on 443, but not sure if they are doing SSL. I haven't configured a server side cert.

     

     

    So i change the pool members to be port 80, and configure SSL offload as per normal on the F5, can I just do x-forwarded-for like norma (using a HTTP profile?)

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 29, 2012
    It'd be unusual for port 443 NOT to be doing SSL. You shouldn't need a server side cert... Just one for the client-side SSL (i.e. the connection FROM the client).

     

     

    Yes, you can change the poolmembers to port 80 and configure SSL offload. However your don't HAVE to... The BigIP can (WIth a suitable cert to present to the clients) act as a MITM.

     

     

    H