For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

zikovich_146574's avatar
zikovich_146574
Icon for Nimbostratus rankNimbostratus
Mar 06, 2014

XFF licensing for https

Hello,

 

I have (maybe a simple) question about XFF in F5 BigIP. We have application that is using SSL (https) and we would like to activate de XFF option in our F5 and i would like to know if do we need a special license to activate the XFF for https?

 

Many thanks in advance for your reply.

 

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 06, 2014

    If you're referring to XFF header injection as provided in the HTTP Profile within LTM, then no there's no additional licensing. You cannot, however, insert an XFF header, or any header for that matter, if you do not offload the SSL at the LTM.

     

  • zikovich_146574's avatar
    zikovich_146574
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2014

    Thanks for your quick reply. Sure we have to offload the SSL by using the private key of the application and then enable the XFF. Am i right?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 06, 2014

    More or less, you are correct. Offloading client side SSL requires a client SSL profile applied to the virtual server. That client SSL profile must have, at a minimum, a server certificate and its corresponding private key. Enabling XFF header injection is a checkbox option in the HTTP profile: Insert X-Forwarded-For.

     

  • zikovich_146574's avatar
    zikovich_146574
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2014

    OK Many thanks for your answers. I think the network team will be able to do it. I was just asking if we need a special license for this operation and your answer was clear "NO".

     

    Reagrds,