Forum Discussion
7 Replies
- Ryan_80361Cirrostratus
I guess it depends on how you've designed your environment, but at a minimum you need to allow the BIG-IP to be able to see "inside" the encrypted traffic. You can do this by either SSL offloading or SSL bridging, you can then enable a http profile with the insert x-forwarded-for option enabled.
- spurushothaman_NimbostratusSSL bridging is deprecated because of the security vulnerability.
- Ryan_80361CirrostratusWhat vulnerability, can you elaborate please?
- RyannnnnnnnnAltocumulus
I guess it depends on how you've designed your environment, but at a minimum you need to allow the BIG-IP to be able to see "inside" the encrypted traffic. You can do this by either SSL offloading or SSL bridging, you can then enable a http profile with the insert x-forwarded-for option enabled.
- spurushothaman_NimbostratusSSL bridging is deprecated because of the security vulnerability.
- RyannnnnnnnnAltocumulusWhat vulnerability, can you elaborate please?
- Minn_62043Cirrostratus
If SSL is terminated at the backend server, BIG-IP will not be able to see the HTTP headers inside the SSL traffic and cannot add the XFF header.
You can only use the routed-mode, where SNAT is removed and backend servers use BIG-IP as the gateway for the incoming traffic.