Forum Discussion

Waylon's avatar
Waylon
Icon for Nimbostratus rankNimbostratus
Feb 05, 2016

X-Forwarded-for with SSL Passthrough (no offloading on LTM)

Hi,   Is there a way to get X-forwarded-for working with SSL passthrough (NO offloading)?   I have some system owners who refuse to have any form of "man in the middle" sessions and require the...
application delivery
iRules
LTM
ssl passthrough
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Nov 30, 2023

 If SSL is not offloaded on the bigip, there is no way it can decrypt the traffic coming from the servers and so nothing can be inserted into the headers.

Thus for HTTPs packets will get corrupt if encrypted packets and someone will try to insert XFF headers in it.

To insert XFF headers in HTTPs packets, F5 must have client SSL with SSL key to decrypt the packets before inserting the XFF header.

Else dont insert XFF on encrypted packets where the decryption is happening on the backend servers , and F5 is just a SSL pasthrough XFF insertion will make the SSL packets looks tampered or MIM man in middle attack sort of thing and the backend server will complain the packets are corrupt on invalid SSL packets as they have ben tampered headers while trying to insert the XFF headers in an encrypted SSL packet. One must undertsnad the packet level headers and modifyling SSL packet headers make them useless.

 

HTH

🙏