Forum Discussion
Sabeer_Ali_2389
Altostratus
AltostratusX-Forwarded in F5
We have below X-Forwarded configured on our cisco ACE , now we are migrating the VIP to F5 LTM. How we can configure the X-Forwarded in F5 ?
insert-http X-Forwarded-Proto header-value "%is" insert-http X-Forwarded-Port header-value "%is" insert-http X-Forwarded-For header-value "%is"
Brad_ParkerCirrus
In the HTTP profile there is a drop-down to enable the insertion of the header. Its literately an easy button on BIG-IP.
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/7.html
Sabeer_Ali_2389Thanks Kai,
Will it take care of IP, port and protocol ?
I think it will only X-Forwarded IP
pavel_ch_218671Nimbostratus
Create custom HTTP profile and 'Enable' X-forwarder. https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html In a GUI its just one click with mouse. in CLI modify global parameter of HTTP profile ltm profile http new-http-x-forward-profile { insert-xforwarded-for enabled }
then apply http profile to yoour virtual-server.
Brad_Parker_139Nacreous
Just notice you also mentioned X-Forward-Proto and X-Forwarded-Port, if you want that you will have to either use a local traffic policy or an iRule. A real easy irule to add those is this.
when CLIENT_ACCEPTED { if { [PROFILE::exists clientssl] == 1 } { set protocol "https" } else { set protocol "http" } } when HTTP_REQUEST { HTTP::header replace X-Forwarded-Proto $protocol HTTP::header replace X-Forwarded-Port [TCP::local_port] }- Kai_Wilke
MVP
Hey Brad, is the ">=" expression required in the case that multiple SSL profiles are used? - Brad_Parker_139yeah, but then I realized "exists" is 0 or 1. Brain was going in two directions.
- Brad_Parker_139exists vs counting is sometimes hard...
- Brad_Parker
Just notice you also mentioned X-Forward-Proto and X-Forwarded-Port, if you want that you will have to either use a local traffic policy or an iRule. A real easy irule to add those is this.
when CLIENT_ACCEPTED { if { [PROFILE::exists clientssl] == 1 } { set protocol "https" } else { set protocol "http" } } when HTTP_REQUEST { HTTP::header replace X-Forwarded-Proto $protocol HTTP::header replace X-Forwarded-Port [TCP::local_port] }- Kai_WilkeHey Brad, is the ">=" expression required in the case that multiple SSL profiles are used?
- Brad_Parkeryeah, but then I realized "exists" is 0 or 1. Brain was going in two directions.
- Brad_Parkerexists vs counting is sometimes hard...
- Kai_Wilke
Hi Sabeer Ali,
no
would just forward the IP. To forward other Information you should use the iRule below...X-Forwarded-Forwhen CLIENT_ACCEPTED { if { [PROFILE::exists clientssl] } then { set client_protocol "https" } else { set client_protocol "http" } } when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] HTTP::header insert "X-Forwarded-Proto" $client_protocol HTTP::header insert "X-Forwarded-Port" [TCP::client_port] }Cheers, Kai
