Forum Discussion

Peter_McCaldon's avatar
Peter_McCaldon
Icon for Nimbostratus rankNimbostratus
Dec 14, 2020
Solved

SNAT / X-FORWARD-FOR breaks HTTPS connection

We are trying to create an iAPP with SSL passthrough and X-FORWARDED set but when we enable SNAT for the X-FORWARDED-FOR (HTTP profile or iRule X-FORWARDED-FOR) the connection seems to stop passing through to our backend IIS pool (nothing logged in the IIS logs).

 

We have looked through a few guides but it feels like we are missing something or there is an underlying setup flaw with our F5.

 

Edge / Chrome give the following err_connection_reset

 

It would seem the minute we enable either; a HTTP Profile, an SSL Profile or enable SNAT the site stops working

 

I'm sure you will need more info from me, as I'm relatively new to F5's let me know what you need and I'll post the details in

  • SSL Passthrough is FastL4 setup.

    SSL Offload or SSL Offload and Re-Encrypt or in other terms, SSL Bridging are Standard VS setups.

     

    SSL Passthrough cannot alter http data. You cannot perform XFF with fastl4 setup.

    I would request you to follow this article to understand more about HTTP traffic.

2 Replies

  • SSL Passthrough is FastL4 setup.

    SSL Offload or SSL Offload and Re-Encrypt or in other terms, SSL Bridging are Standard VS setups.

     

    SSL Passthrough cannot alter http data. You cannot perform XFF with fastl4 setup.

    I would request you to follow this article to understand more about HTTP traffic.

  • Of course! So we have now corrected the setup to be SSL bridging and the site loads, however the X-FORWARDED-FOR still doesnt seem to work. We have run a trace with wireshark and enabled custom logging in IIS but we cannot see the X_FORWARDED-FOR header info.

     

    We have checked our setup against https://support.f5.com/csp/article/K4816.

     

    Any thoughts?

     

    EDIT: I had missed enabling Custon Logging in IIS. this works as expected now