Forum Discussion
asayer_6572
Nimbostratus
NimbostratusXForwarded with https?
Hi guys,
sorry if this is a noob question but I am trying to pass the client IP address to the back end web server over https.
I have setup client-side SSL termination and server-side SSL initiation and have setup a profile and enabled "Insert XForwarded For" however this is not being populated.
Is this possible and how may I go about doing it?
Thanks in advance
Nicolas_MenantEmployee
Hi,
this should work since you use a client SSL profile meaning within the BIGIP you have access to the HTTP stream...
Can you post your VS configuration from the bigip.conf ?- That plus any messages that might be showing up in /var/log/ltm, perhaps?
This should be pretty basic, default functionality.
Colin 
asayer_6572Thanks for the responses.
I agree it should be pretty simple however I thought I was stupid when it didnt work.
I took a look at /var/log/ltm and didnt see anything that pointed me to what the problem was.
I have also created a service request with F5
Here is the relevent sections from the bigip.conf
(sorry my company is a bit funny about posting stuff to teh internet)profile serverssl portaltest_server { defaults from serverssl cert "portaltest_server.crt" } profile serverssl authtest_server { defaults from serverssl cert "authtest_server.crt" } profile http http_xforward { defaults from http insert xforwarded for enable } profile http https_xforward { defaults from http redirect rewrite all insert xforwarded for enable } node 192.168.222.237 { screen linagwtest1 } node 192.168.222.235 { screen linidptest1 } node 192.168.222.238 { screen linagwtest2 } node 192.168.222.236 { screen linidptest2 } pool NAM-authtest-https { monitor all https member 192.168.222.235:https session disable member 192.168.222.236:https pool NAM-portaltest-http { member 192.168.222.237:http member 192.168.222.238:http } pool NAM-portaltest-https { monitor all https member 192.168.222.237:https member 192.168.222.238:https pool NAM-authtest-http { member 192.168.222.235:http member 192.168.222.236:http } rule X-Forward-For { when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] } virtual DMZ-to-NAM-authtest { destination 192.168.222.124:https snat automap ip protocol tcp pool NAM-authtest-https } virtual DMZ-to-NAM-portaltest { destination 192.168.222.123:https snat automap ip protocol tcp profile authtest.worksafe.vic.gov.au http_xforward portaltest_server tcp pool NAM-portaltest-https rule X-Forward-For } virtual DMZ-to-NAM-authtest-redirect-to-https { destination 192.168.222.124:http snat automap ip protocol tcp profile https_rewrite tcp rule http-redirect-to-https-portaltest.worksafe.vic.gov.au } virtual DMZ-to-NAM-portaltest-redirect-to-https { destination 192.168.222.123:http snat automap ip protocol tcp profile https_rewrite tcp rule http-redirect-to-https-portaltest.worksafe.vic.gov.au_uri }- asayer_6572I think this may have been user error on my part.
Will update when I confirm. - asayer_6572We found the problem.
Our configuration is as follows:
LTM<->NAM Reverse Proxy<->Apache Web Server
NAM = Novell Access Manager
We had the configuration working over HTTP and forwarding the X-Forward-For header however was unable to get it to work over HTTPS.
I assumed that the problem was with the LTM however when I ran a packet capture on the Apache Web Server and NAM server I could see the X-Forward-For header on the NAM side but not the Apache side.
After some research I discovered this option needed to be enabled on the NAM for X-Forward-For to work over HTTPS.
Thanks for the prompt help and giudence
