Nimbostratus
sorry if this is a noob question but I am trying to pass the client IP address to the back end web server over https.
I have setup client-side SSL termination and server-side SSL initiation and have setup a profile and enabled "Insert XForwarded For" however this is not being populated.
Is this possible and how may I go about doing it?
Thanks in advance
Employee
this should work since you use a client SSL profile meaning within the BIGIP you have access to the HTTP stream...
Can you post your VS configuration from the bigip.conf ?
This should be pretty basic, default functionality.
Colin
NimbostratusI agree it should be pretty simple however I thought I was stupid when it didnt work.
I took a look at /var/log/ltm and didnt see anything that pointed me to what the problem was.
I have also created a service request with F5
Here is the relevent sections from the bigip.conf
(sorry my company is a bit funny about posting stuff to teh internet)
profile serverssl portaltest_server {
defaults from serverssl
cert "portaltest_server.crt"
}
profile serverssl authtest_server {
defaults from serverssl
cert "authtest_server.crt"
}
profile http http_xforward {
defaults from http
insert xforwarded for enable
}
profile http https_xforward {
defaults from http
redirect rewrite all
insert xforwarded for enable
}
node 192.168.222.237 {
screen linagwtest1
}
node 192.168.222.235 {
screen linidptest1
}
node 192.168.222.238 {
screen linagwtest2
}
node 192.168.222.236 {
screen linidptest2
}
pool NAM-authtest-https {
monitor all https
member 192.168.222.235:https session disable
member 192.168.222.236:https
pool NAM-portaltest-http {
member 192.168.222.237:http
member 192.168.222.238:http
}
pool NAM-portaltest-https {
monitor all https
member 192.168.222.237:https
member 192.168.222.238:https
pool NAM-authtest-http {
member 192.168.222.235:http
member 192.168.222.236:http
}
rule X-Forward-For {
when HTTP_REQUEST {
HTTP::header insert X-Forwarded-For [IP::remote_addr]
}
virtual DMZ-to-NAM-authtest {
destination 192.168.222.124:https
snat automap
ip protocol tcp
pool NAM-authtest-https
}
virtual DMZ-to-NAM-portaltest {
destination 192.168.222.123:https
snat automap
ip protocol tcp
profile authtest.worksafe.vic.gov.au http_xforward portaltest_server tcp
pool NAM-portaltest-https
rule X-Forward-For
}
virtual DMZ-to-NAM-authtest-redirect-to-https {
destination 192.168.222.124:http
snat automap
ip protocol tcp
profile https_rewrite tcp
rule http-redirect-to-https-portaltest.worksafe.vic.gov.au
}
virtual DMZ-to-NAM-portaltest-redirect-to-https {
destination 192.168.222.123:http
snat automap
ip protocol tcp
profile https_rewrite tcp
rule http-redirect-to-https-portaltest.worksafe.vic.gov.au_uri
}
Nimbostratus
Will update when I confirm.
Nimbostratus
Our configuration is as follows:
LTM<->NAM Reverse Proxy<->Apache Web Server
NAM = Novell Access Manager
We had the configuration working over HTTP and forwarding the X-Forward-For header however was unable to get it to work over HTTPS.
I assumed that the problem was with the LTM however when I ran a packet capture on the Apache Web Server and NAM server I could see the X-Forward-For header on the NAM side but not the Apache side.
After some research I discovered this option needed to be enabled on the NAM for X-Forward-For to work over HTTPS.
Thanks for the prompt help and giudence