Blackboard ssl-offload using x-forwarded-proto unsuccessful
We are trying to off-load SSL processing to our LTM for Blackboard Learn 9.1.201404.160205 and with the use of the header “X-Forwarded-Proto: https.” To paraphrase, Blackboard documentation states that when the header “X-Forwarded-Proto: https” is provided with an unencrypted session to Blackboard, Blackboard knows the SSL processing has been offloaded upstream and the session between Blackboard and the LTM continues unencrypted. Below is a crude attempt at representing the desired flow: USER -> F5 (dst Port 80) User <- F5 redirect client to use https (dst Port 443) USER -> F5 https (dst port 443) F5 -> (has header X-Forwarded-Proto: https inserted) -> Appserver (dst port 8081 http) F5 <- Appserver (src port 8081 http) USER <- F5 (src port 443 https) What we are experiencing is clients providing the X-Forwarded-Proto: https header connecting to the Blackboard application servers using http are being redirected to the https site of the server by the application server. With the VIP configured to connect to the pool using http and inserted header X-Forwarded-Proto: https, the application server redirects the client to https. The LTM passes this redirect to the user, user connects to https VIP, the VIP inserts X-Forwarded-Proto: https header and connects to application server http, the application server sends a redirect back to client/user,…. until user’s browser presents too many redirects message. F5 support provided an iRule to log header information sent to the application server. Below is the log viewed from the LTM CLI, “X-Forwarded-Proto: https” is being provided. Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : ============================================= Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Encoding: gzip, deflate, sdch Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : ============================================= Output from using cURL from the LTM CLI to connect to the Blackboard application server. The output shows the “X-Forwarded-Proto: https” header is being provided, the Blackboard application server is replying with redirect. [] config curl -v -H "X-Forwarded-Proto:https" -H "X-Forwarded-For: aa.bb.cc.dd" * About to connect() to ww.xx.yy.zz port 8081 (0) * Trying ww.xx.yy.zz... connected * Connected to ww.xx.yy.zz (ww.xx.yy.zz) port 8081 (0) GET /webapps/portal/healthCheck HTTP/1.1 User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Host: ww.xx.yy.zz:8081 Accept: / X-Forwarded-Proto:https X-Forwarded-For: aa.bb.cc.dd < HTTP/1.1 301 Moved Permanently < Server: Apache-Coyote/1.1 < Location: https://ww.xx.yy.zz/webapps/portal/healthCheck < Content-Length: 0 < Date: Wed, 01 Apr 2015 21:13:07 GMT < Connection: close < * Closing connection 0 [] config Output from using cURL from a windows PC to connect to the Blackboard application server. The output shows the “X-Forwarded-Proto: https” header is being provided, the Blackboard application server is replying with redirect. C:\curl_741_0_ssh2_ssl>curl --http1.1 -v -S - -k -H "X-Forwarded-Proto:https" -H "X-Forwarded-For: aa.bb.cc.dd" * Trying ww.xx.yy.zz... * Connected to ww.xx.yy.zz (ww.xx.yy.zz) port 8081 (0) GET /webapps/portal/healthCheck HTTP/1.1 User-Agent: curl/7.41.0 Host: ww.xx.yy.zz:8081 Accept: / X-Forwarded-Proto:https X-Forwarded-For: aa.bb.cc.dd < HTTP/1.1 301 Moved Permanently < Server: Apache-Coyote/1.1 < Location: https://ww.xx.yy.zz/webapps/portal/healthCheck < Content-Length: 0 < Date: Thu, 02 Apr 2015 15:21:32 GMT < Connection: close < * Closing connection 0 Are there any known successfully Blackboard/F5 configurations that take advantage of the F5 SSL offload with the use of the X-Forwarded-Proto header? What could be causing the application server to not accept the F5 VIP, F5 cURL (or windows desktop cURL) provided X-Forwarded-Proto header? Are there any other users experiencing this issue? If so, how is it being addressed? One work around is to encrypt the traffic user to VIP and VIP to application server, no ssl offload. Are there any possible solutions? Successfully configurations for both the LTM and windows/blackboard server are greatly appreciated.
x-forwarded-proto + F5 + Drupal issues
my client has setup F5 and doing ssl offloading. I'm using drupal application on linux RedHat. network team has set the x-forwarded-proto header on F5 device. I've added RequestHeader add X-Forwarded-Proto https in my httpd.conf file and in settings.php (of drupal) i've added below when a request is made using https:// to load balancer it is routing the request to app server and everything loads just fine, however if the request is just http:// to load balancer then my app server is converting all references to resources (images/ css/ scripts) as https:// when the request is handed over to app server, will it carry or expected to carry the x-forwarded-proto in headers received by app server? I'm confused on what to do, where to fix.