Forum Discussion

Sabeer_Ali_2389's avatar
Sabeer_Ali_2389
Icon for Altostratus rankAltostratus
Feb 05, 2016

X-Forwarded in F5

We have below X-Forwarded configured on our cisco ACE , now we are migrating the VIP to F5 LTM. How we can configure the X-Forwarded in F5 ?

 

insert-http X-Forwarded-Proto header-value "%is" insert-http X-Forwarded-Port header-value "%is" insert-http X-Forwarded-For header-value "%is"

 

  • Thanks Kai,

     

    Will it take care of IP, port and protocol ?

     

    I think it will only X-Forwarded IP

     

  • Just notice you also mentioned X-Forward-Proto and X-Forwarded-Port, if you want that you will have to either use a local traffic policy or an iRule. A real easy irule to add those is this.

    when CLIENT_ACCEPTED {
        if { [PROFILE::exists clientssl] == 1 } {
            set protocol "https"
        }
        else {
            set protocol "http"
        }
    }
    
    when HTTP_REQUEST {
        HTTP::header replace X-Forwarded-Proto $protocol
        HTTP::header replace X-Forwarded-Port [TCP::local_port]
    }
    
    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Hey Brad, is the ">=" expression required in the case that multiple SSL profiles are used?
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      yeah, but then I realized "exists" is 0 or 1. Brain was going in two directions.
  • Just notice you also mentioned X-Forward-Proto and X-Forwarded-Port, if you want that you will have to either use a local traffic policy or an iRule. A real easy irule to add those is this.

    when CLIENT_ACCEPTED {
        if { [PROFILE::exists clientssl] == 1 } {
            set protocol "https"
        }
        else {
            set protocol "http"
        }
    }
    
    when HTTP_REQUEST {
        HTTP::header replace X-Forwarded-Proto $protocol
        HTTP::header replace X-Forwarded-Port [TCP::local_port]
    }
    
    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Hey Brad, is the ">=" expression required in the case that multiple SSL profiles are used?
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      yeah, but then I realized "exists" is 0 or 1. Brain was going in two directions.
  • Hi Sabeer Ali,

    no

    X-Forwarded-For
    would just forward the IP. To forward other Information you should use the iRule below...

    when CLIENT_ACCEPTED {
        if { [PROFILE::exists clientssl] } then {
            set client_protocol "https"
        } else {
            set client_protocol "http"
        }
    }
    when HTTP_REQUEST {
        HTTP::header insert "X-Forwarded-For" [IP::client_addr]
        HTTP::header insert "X-Forwarded-Proto" $client_protocol
        HTTP::header insert "X-Forwarded-Port" [TCP::client_port]
    }
    

    Cheers, Kai