X-Forwarded-Proto Assistance

Hi - have a new scenario where the pool is expecting "X-Forwarded-Proto" information in the header. Does the default http/https profile insert this information automtically? I know some products do, just trying to figure out whether this will require a new iRule or not.

Thanks in advance.

6 Answer(s):

You have an option in the HTTP profile to insert it automatically yes
I'm looking at the profile right now, I'm not seeing specifically for the "x-forwarded-proto" insertion. Is it named something else?

I'm _not_ referring to "x-forwarded-for"
I do know we support X-Forwarded-For in the GUI, but I haven't heard for support of X-Forwarded-Proto. Is this true nmenant? I'll have to dig a bit and find out if the X-Forwarded-For option in the GUI inserts the X-Forwarded-Proto header as well.

If not, you can always use an iRule!

I don't think LTM does anything special for the X-Forwarded-Proto header. If you want to insert this header and the client SSL profile only allows SSL requests (Non-SSL Connections is not enabled) then you can configure a custom HTTP profile with 'Header Erase' set to X-Forwarded-Proto and 'Header Insert' set to 'X-Forwarded-Proto: https'. This ensures that any existing X-Forwarded-Proto headers are removed and a new X-Forwarded-Proto header with a value of https is inserted.

I touched base with the F5 PS guys - here is what I got back. Sounds like it is inline what you just posted.

Recommended solution would be:
- Use Insert header, in the custom HTTP profile that you applied to the virtual servers.

For HTTPS Virtuals, insert: X-Forwarded-Proto, with a value of https
For HTTP Virtuals, insert: X-Forwarded-Proto, with a value of http

Of course you could also use apply an iRule to the Virtual Server, something like this should work:

HTTP::header insert X-Forwarded-Proto “https”

If you're using this for anything other than reporting or logging, you should consider removing any existing headers with the name "X-Forwarded-Proto" before inserting it. This ensures that any headers the client inserts itself don't make it to the application. You can do this with the header erase option in the HTTP profile or in the iRule using HTTP::header remove "X-Forwarded-Proto".


Your answer: