X-Forwarded-for with SSL Passthrough (no offloading on LTM)

 If SSL is not offloaded on the bigip, there is no way it can decrypt the traffic coming from the servers and so nothing can be inserted into the headers.

Thus for HTTPs packets will get corrupt if encrypted packets and someone will try to insert XFF headers in it.

To insert XFF headers in HTTPs packets, F5 must have client SSL with SSL key to decrypt the packets before inserting the XFF header.

Else dont insert XFF on encrypted packets where the decryption is happening on the backend servers , and F5 is just a SSL pasthrough XFF insertion will make the SSL packets looks tampered or MIM man in middle attack sort of thing and the backend server will complain the packets are corrupt on invalid SSL packets as they have ben tampered headers while trying to insert the XFF headers in an encrypted SSL packet. One must undertsnad the packet level headers and modifyling SSL packet headers make them useless.

HTH

🙏