XForwarded with https?

Hi,

 

 

this should work since you use a client SSL profile meaning within the BIGIP you have access to the HTTP stream...

 

 

Can you post your VS configuration from the bigip.conf ?

That plus any messages that might be showing up in /var/log/ltm, perhaps?

 

 

This should be pretty basic, default functionality.

 

 

Colin

Thanks for the responses.

I agree it should be pretty simple however I thought I was stupid when it didnt work.

I took a look at /var/log/ltm and didnt see anything that pointed me to what the problem was.

I have also created a service request with F5

Here is the relevent sections from the bigip.conf

(sorry my company is a bit funny about posting stuff to teh internet)

  
  profile serverssl portaltest_server {  
     defaults from serverssl  
     cert "portaltest_server.crt"  
  }  
  profile serverssl authtest_server {  
     defaults from serverssl  
     cert "authtest_server.crt"  
  }  
  profile http http_xforward {  
     defaults from http  
     insert xforwarded for enable  
  }  
  profile http https_xforward {  
     defaults from http  
     redirect rewrite all  
     insert xforwarded for enable  
  }  
  node 192.168.222.237 {  
     screen linagwtest1  
  }  
  node 192.168.222.235 {  
     screen linidptest1  
  }  
  node 192.168.222.238 {  
     screen linagwtest2  
  }  
  node 192.168.222.236 {  
     screen linidptest2  
  }  
  pool NAM-authtest-https {  
     monitor all https  
     member 192.168.222.235:https session disable  
     member 192.168.222.236:https  
    
  pool NAM-portaltest-http {  
     member 192.168.222.237:http  
     member 192.168.222.238:http  
  }  
  pool NAM-portaltest-https {  
     monitor all https  
     member 192.168.222.237:https  
     member 192.168.222.238:https  
  pool NAM-authtest-http {  
     member 192.168.222.235:http  
     member 192.168.222.236:http  
  }  
  rule X-Forward-For {  
     when HTTP_REQUEST {        
  HTTP::header insert X-Forwarded-For [IP::remote_addr]        
  }  
  virtual DMZ-to-NAM-authtest {  
     destination 192.168.222.124:https  
     snat automap  
     ip protocol tcp  
     pool NAM-authtest-https  
  }  
  virtual DMZ-to-NAM-portaltest {  
     destination 192.168.222.123:https  
     snat automap  
     ip protocol tcp  
     profile authtest.worksafe.vic.gov.au http_xforward portaltest_server tcp  
     pool NAM-portaltest-https  
     rule X-Forward-For  
  }  
     virtual DMZ-to-NAM-authtest-redirect-to-https {  
     destination 192.168.222.124:http  
     snat automap  
     ip protocol tcp  
     profile https_rewrite tcp  
     rule http-redirect-to-https-portaltest.worksafe.vic.gov.au  
  }  
     virtual DMZ-to-NAM-portaltest-redirect-to-https {  
     destination 192.168.222.123:http  
     snat automap  
     ip protocol tcp  
     profile https_rewrite tcp  
     rule http-redirect-to-https-portaltest.worksafe.vic.gov.au_uri  
  }  
  

I think this may have been user error on my part.

 

Will update when I confirm.

We found the problem.

 

 

Our configuration is as follows:

 

 

LTM<->NAM Reverse Proxy<->Apache Web Server

 

 

NAM = Novell Access Manager

 

 

We had the configuration working over HTTP and forwarding the X-Forward-For header however was unable to get it to work over HTTPS.

 

 

I assumed that the problem was with the LTM however when I ran a packet capture on the Apache Web Server and NAM server I could see the X-Forward-For header on the NAM side but not the Apache side.

 

 

After some research I discovered this option needed to be enabled on the NAM for X-Forward-For to work over HTTPS.

 

 

Thanks for the prompt help and giudence