Forum Discussion

10 Replies

  • No, there should be no impact to your application other than the addition of the new X-Forwarded-For header in the request data that it receives. Just simply modify your HTTP profile to enable the X-Forwarded-For option and you should be all set.

     

  • Hi Josh and Samir, for your advice. So either using irule or modify the HTTP profile "Insert X-Forwarded-For" enabled is sufficient, and will not cause downtime. How about X-Forwarded-Proto? Please advise how can this be configured and also no downtime required?

     

  • I assume you are doing SSL termination(offloading) at the BigIP and want a header to send to your servers to indicate the original request was HTTPS. What we do for this is use a policy on the HTTPS virtual server to insert this header. Attaching the policy will cause no downtime.

    ltm policy X-Forwarded-Proto {
        requires { client-ssl http }
        rules {
            X-Forwarded-Proto_insert {
                actions {
                    0 {
                        http-header
                        insert
                        name X-Forwarded-Proto
                        value https
                    }
                }
                ordinal 1
            }
        }
        strategy first-match
    }
    
  • Thanks Brad for your advice. Please advise is it necessary to implement an irule for both x-forwarded-for an x-forwarded-proto, or either 1 is enough?

     

  • Well you can do it with the http profile option with the policy I mentioned above(will perform better as they are built in features) or you can do it with a single iRule that will insert both.

    when HTTP_REQUEST {
        HTTP::header insert "X-Forwarded-For" [IP::client_addr]
        if {[PROFILE::exists clientssl] == 1}{
            HTTP::header insert "X-Forwarded-Proto" "https"
        }
    }
    
  • Akamai uses True-Client-IP header to forward the website visitor IP. if we already enabled X-Forwarded-For, does this mean that F5 LTM will be able to capture and track Akamai’s client IP information?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      If Akamai uses a different header the F5 or your back end server can track it. If you want the F5 to translate if to X-Forwarded-For you can just specify the header in the "XFF Alternative Names" property in the HTTP profile.
  • If we did not specify the header in the "XFF Alternative Names" property in the HTTP profile, what will F5 do when it receive this Akamai True-Client-IP header?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      It won't do anything with the header. It will be un-affected and be sent as part of the request to the pool member.