Prav_191113
Mar 08, 2015Nimbostratus
Api call issue when XFF and SSl offloading enabled
Hi , we have 2 pool member (web) servers load balanced by f5 f5. i have got the advanced logging setup on the pool member server and also got xff enabled on the f5 virtual server (vip) on 443 port. this web services has 2 https site and one https site setup. Routing has been enabled between 2 servers from the VIP(virtual server), also the persistence mode enabled(sticky session), Am able to get the original ip address getting logged in IIS advanced log. it all works fine.
Now the problem is that we have an api which calls the 3 web services to retrieve the data from 3 sites. with the http site api calls works fine without any timeout on consecutive calls.. But when api calls the https site after the first call to the https site on the next it times out and takes long and errs out. it seems a timeout issue. so to test it further i got xff disabled and also ssl offloading disabled. then api call works fine without any timeout issue and consecutive clls does give the result but when again i reverted the settings back by enabling XFF and also ssl offloading and the problem appears again . i have also used curl command to test the post command request call without api to test it further it gives you the result when ssl offloading and XFF disabled..
i understand that The load-balancer is required to de-crypt the stream in order to insert the header. The only variation that could be introduced would be if the stream needs to be re-encrypted towards the server or not. We could turn off XFF and leave the SSL de-encryption/re-encryption in place, but not the other way around. In a plain-text stream (http over https for example) there would not need to be any SSL decryption in order to insert the XFF header .If we disable XFf then we could not be able to get the original ip address logging work . where ipaddresss logging is our primary goal.
what i want to achieve is that the Original IP Adddress logging, where XFF needs to enabled on the F5 .without ssl offloading enabled. (i understand the fact that with XFF enabled it also requires the SSl offlaoding also be enabled.)but i dont want the ssl encryption or decryption be done . so that my api can works without any issues.my api calls may be timing out because of the ssl re encryption and decryption happening between consecutive calls .
Could you guys please help me out in getting this thing working .