Is there a way to get X-forwarded-for working with SSL passthrough (NO offloading)?
I have some system owners who refuse to have any form of "man in the middle" sessions and require the F5 to pass all SSL sessions directly to the web servers, so I cannot do any form of SSL offloading or SSL Proxy'ing.
I've had success using an HTTP profile with x-forwarded-for enabled, however, I know you cannot use an HTTP profile if the VS is set to use 443.
Is there perhaps an iRule I could use and if so what would it look like, or something else as simple as enabling X-forwarded-for elsewhere?
(I'm very new to F5 / LTM so any detailed steps would be greatly appreciated)
Thanks in advance!
as the previous posters have already mentioned. You can't insert anything to the SSL protected content without performing MitM.
So you have to use either one of the following approaches...
Note: I would like to second Hannes recommendation, by either...
If SSL is not offloaded on the bigip, there is no way it can decrypt the traffic coming from the servers and so nothing can be inserted into the headers.
All HTTP headers (incl. the optional X-Forwarded-For) are subject to encryption whenever SSL is enabled. You cannot read or modify the HTTP headers without offloading the SSL on the clientside.
If the issue is a lack of visibility of the real customer IP address, you may want consider a HSL logging solution, or consider changing your routing topology so that translating a customer IP is no longer required. There are no other options.
If your app owners refuse to let you use the best SSL stack around :-) and you can't have the LTM be default route for the back-end server, but still require the original source address to be presented to those servers you may consider using nPath routing(direct server return). Since you aren't inspecting content anyway, not having the response go through the BIG-IP isn't that big of a deal.
Thanks to everyone for their feedback, all the help is greatly appreciated!
I'll forward the recommendations onto the necessary parties!
Hello guys, Need some help.
It was confirmed we cannot use X-Forward-For for SSL pass-through VIPs, but If I add it, what will happen. is the VIP still works?? I mean if the traffic is not offloading on BIGIP, can it ignore optional XFF http profiles and continue to work as it works earlier??
By mistakenly today I have added XFF to one of our old VIP, which cause huge outage.
Our backend (apache) was recieving invalid HTTP requests / invalid SSL handshakes and stalling as a result.
I'm little confused here as BIGIP cannot add/modify http headers, how can the backend servers get invalid SSL handshakes. anyone have any idea!!