Forum Discussion

CSOC_146480's avatar
CSOC_146480
Icon for Nimbostratus rankNimbostratus
Jan 26, 2016

web proxy XFF header https

Hello,

 

I have recently noticed that my configured F5 proxy is forwarding XFF for http but not for https. For https the F5 is being the broker for client and so client source becomes the F5 for https.

 

Is there any way for the F5 to proxy client WWW traffic and forward XFF? We are running identity awareness on the next hop device.

 

flow is as follows. (F5 VS is explicit http proxy currently)

 

client --> GTM pool to resolve client proxy IP --> GSLB pool (3 x VS) --> Check point with IA (3 in total)

 

In F5 case, the next hop and DG is the Check Point firewall.

 

If the above cannot send XFF for https:

 

  1. is there another way to use the F5 as a WWW proxy and send original client IP or information to the next hop Check Point?
  2. if we enabled WWW proxy on the Check Point, can the GTM resolve to the Check Point as a node without proxying the users? There are three routes to the internet for clients

Thanks for any help,

 

Derrick

 

application delivery
BIG-IP DNS
LTM

3 Replies

Sort By
  • CSOC_146480's avatar
    CSOC_146480
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2016
    I think the answer to my question is the check point need to proxy the user traffic, not the F5. Will look at load balancing the check points to the check point proxies rather than proxy on the F5
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Jan 27, 2016
    On F5, you can configure the HTTP profile on the Virtual Server handling the traffic to insert XFF Header.
  • CSOC_146480's avatar
    CSOC_146480
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2016

    Thanks, was already doing XFF insert in http profile on the VS but the problem was if using explicit proxy then XFF is encypted by the time it gets to next hop all the way to WWW server.

     

    Not using the F5 as explicit proxy is working in the testing so far. User are now proxy terminating on next hop to F5 rather than the F5 with XFF being forwarded using snat via the VS. The VS is resolved as the proxy IP by GTM. All good.