Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

X-Forwarded in F5

We have below X-Forwarded configured on our cisco ACE , now we are migrating the VIP to F5 LTM. How we can configure the X-Forwarded in F5 ?

insert-http X-Forwarded-Proto header-value "%is" insert-http X-Forwarded-Port header-value "%is" insert-http X-Forwarded-For header-value "%is"

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Sabeer Ali,

you could use the iRule below...

when HTTP_REQUEST {
    HTTP::header insert "X-Forwarded-For" [IP::client_addr]
}

... or just enable the "Insert X-Forwarded-For" option on your HTTP profile (recommended).

Image Text

Cheers, Kai

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In the HTTP profile there is a drop-down to enable the insertion of the header. Its literately an easy button on BIG-IP.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/7.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Kai,

Will it take care of IP, port and protocol ?

I think it will only X-Forwarded IP

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Create custom HTTP profile and 'Enable' X-forwarder. https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html In a GUI its just one click with mouse. in CLI modify global parameter of HTTP profile ltm profile http new-http-x-forward-profile { insert-xforwarded-for enabled }

then apply http profile to yoour virtual-server.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Just notice you also mentioned X-Forward-Proto and X-Forwarded-Port, if you want that you will have to either use a local traffic policy or an iRule. A real easy irule to add those is this.

when CLIENT_ACCEPTED {
    if { [PROFILE::exists clientssl] == 1 } {
        set protocol "https"
    }
    else {
        set protocol "http"
    }
}

when HTTP_REQUEST {
    HTTP::header replace X-Forwarded-Proto $protocol
    HTTP::header replace X-Forwarded-Port [TCP::local_port]
}
0
Comments on this Answer
Comment made 05-Feb-2016 by Kai Wilke 6273
Hey Brad, is the ">=" expression required in the case that multiple SSL profiles are used?
0
Comment made 05-Feb-2016 by Brad Parker 4443
yeah, but then I realized "exists" is 0 or 1. Brain was going in two directions.
0
Comment made 05-Feb-2016 by Brad Parker 4443
exists vs counting is sometimes hard...
0
Comment made 05-Feb-2016 by Kai Wilke 6273
Okay, good to know... ;-) BTW: { [PROFILE::exists clientssl] == 1 } does the same as { [PROFILE::exists clientssl] }, but the later is slightly faster. But on the other hand inserting an "== 1" would make the clause more visible...
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Sabeer Ali,

no X-Forwarded-For would just forward the IP. To forward other Information you should use the iRule below...

when CLIENT_ACCEPTED {
    if { [PROFILE::exists clientssl] } then {
        set client_protocol "https"
    } else {
        set client_protocol "http"
    }
}
when HTTP_REQUEST {
    HTTP::header insert "X-Forwarded-For" [IP::client_addr]
    HTTP::header insert "X-Forwarded-Proto" $client_protocol
    HTTP::header insert "X-Forwarded-Port" [TCP::client_port]
}

Cheers, Kai

0
Comments on this Answer
Comment made 18-Aug-2016 by AaronH 0

This worked for me. Thanks

0
Comment made 23-Aug-2016 by Kai Wilke 6273

You're welcome!

Cheers, Kai

0