Forum Discussion

Prav_191113's avatar
Prav_191113
Icon for Nimbostratus rankNimbostratus
Mar 08, 2015

Api call issue when XFF and SSl offloading enabled

Hi , we have 2 pool member (web) servers load balanced by f5 f5. i have got the advanced logging setup on the pool member server and also got xff enabled on the f5 virtual server (vip) on 443 port. this web services has 2 https site and one https site setup. Routing has been enabled between 2 servers from the VIP(virtual server), also the persistence mode enabled(sticky session), Am able to get the original ip address getting logged in IIS advanced log. it all works fine.

Now the  problem is that we have an api which calls the 3 web services  to retrieve the  data  from 3 sites.  with the http site api  calls works fine without any  timeout  on consecutive calls.. But when api calls the https site after the first call to the https site on the next  it times out  and takes long and errs out. it seems a timeout issue. so to test it further i got xff disabled and also ssl offloading disabled. then api call works fine  without any timeout issue and consecutive clls does give the result but when again i reverted the  settings back by enabling XFF and also ssl offloading and the problem appears again . i have also used curl command to test the post command   request call without api to test it further  it gives you the result when ssl offloading and XFF disabled..
i understand that The load-balancer is required to de-crypt the stream in order to insert the header.  The only variation that could be introduced would be if the stream needs to be re-encrypted towards the server or not.  We could turn off XFF and leave the SSL de-encryption/re-encryption in place, but not the other way around. In a plain-text stream (http over https for example) there would not need to be any SSL decryption in order to insert the XFF header .If we disable XFf then we could not be able to get the original ip address logging work . where ipaddresss logging is our primary  goal.
   what i want to achieve is that  the  Original IP Adddress logging, where XFF needs to enabled on the F5 .without ssl offloading enabled.  (i understand the fact that with XFF enabled it also requires the SSl offlaoding also be enabled.)but i dont want the ssl encryption or decryption  be done . so  that my api can works without any issues.my api calls may be timing out because of the ssl re encryption and decryption happening  between consecutive calls .

    Could you guys please help me out in getting this thing working  .
APM
deployment
design
management
security

3 Replies

Sort By
  • Prav_191113's avatar
    Prav_191113
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2015

    Hi Nitass, apologies for the delayed response, Further dig at the issue I had the XFF turned off and ssl offloading enabled and the moment change effected api started working fine without any issue. it seems XFF header is at fault and causing the api call to time out. I need XFF because i want to have original ip address logging to work (business requirement). so its getting complicated now. How does XFF header will have impact on api calls. what does xff do in the background any encryption decryption activities it gets involved with.i have also given to the understanding that The XFF header is limited to HTTP requests ?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 11, 2015

    How does XFF header will have impact on api calls.

     

    have you tried tcpdump/ssldump? i do not think xff has an impact.

     

    i have also given to the understanding that The XFF header is limited to HTTP requests ?

     

    no