Forum Discussion

Jerry_Shen_1215's avatar
Jerry_Shen_1215
Icon for Nimbostratus rankNimbostratus
Sep 17, 2013

X-forward-for not logging in apache listening on port 443

Hi,

 

i have a virtual server listening on 443, i also have a pool listening on 443 as well.

 

My pool members are apache web servers. I am supposed to log down the x-forwarded-for headers client address in to the apache logs.

 

I have a XFF irule to write in the XFF into the http headers. however it is not working.

 

Then i decided to change my pool members into normal port 80 http pool members and it works.

 

What am i missing here? i need the pool members(Apache) to be 443 (Listening on 443).

 

Will appreciate any help.

 

7 Replies

  • Can you describe the SSL setup on the F5 and Apache servers please. Are you actually terminating the SSL on the F5?

     

  • You can also skip the iRule and just enable the X-Forwarded-For option in the HTTP profile applied to the VIP (assuming you're terminating and optionally re-encrypting the SSL).

     

  • Hi, i have checked my configurations.

     

    In the HTTP profile i have enable X-forwarded-for for my Virtual Server.

     

    I also have a Client_SSL profile and a server SSL profile. Therefore the SSL termination should be in place before F5 try to re-encrypt the ssl traffic.

     

    I also tried to sniff the traffic at the backend (from F5 VSIP to my apache server). I can't seems to find the X-forwarded-For fields in the HTTP header when i try to decrypt using my apache server private key.

     

    Or the Tcpdump that i perform was done incorrectly?

     

    the dump syntax i use is: tcpdump -nnvvXSs 1514 -i dst -w /var/tmp/xxx.pcap

     

    I am using wireshark with my apache private key defined in "preference -> SSL --> RSA Key list"

     

    What am i missing?

     

    • What_Lies_Bene1's avatar
      What_Lies_Bene1
      Icon for Cirrostratus rankCirrostratus
      I assume however that you can decrypt and view the HTTP packets yes?
    • Jerry_Shen_1215's avatar
      Jerry_Shen_1215
      Icon for Nimbostratus rankNimbostratus
      Yes i can decrypt the packet terminating at the virtual server and saw the XFF header. However, the packet sent out to my pool members i don't see the XFF header in the http packets. I am using SNAT automap. So its from my virtual server IP to the pool member
  • An iRule to insert an XFF and for crosscheck would look like this:

    when HTTP_REQUEST {
        HTTP::header insert X-Forwarded-For [IP::client_addr]
    }
    
    when HTTP_REQUEST_SEND {
        if {[clientside {HTTP::header exists "X-Forwarded-For"}]} {
            foreach xffvalue [clientside {HTTP::header values "X-Forwarded-For"}] {
                log local0. "serverside XFF: $xffvalue"
            }
        }
    }
    

    Run 'tail -f /var/log/ltm' to verify the header insert in the LTM log facility.

    Actually the foreach-loop is able to test for multiple XFF headers.