Forum Discussion
10 Replies
No, there should be no impact to your application other than the addition of the new X-Forwarded-For header in the request data that it receives. Just simply modify your HTTP profile to enable the X-Forwarded-For option and you should be all set.
- Samir_Jha_52506Noctilucent
No downtime require to implement X-Forwarded method in iRule or HTTP profile.
- dw_888_212625Nimbostratus
Hi Josh and Samir, for your advice. So either using irule or modify the HTTP profile "Insert X-Forwarded-For" enabled is sufficient, and will not cause downtime. How about X-Forwarded-Proto? Please advise how can this be configured and also no downtime required?
- Brad_ParkerCirrus
I assume you are doing SSL termination(offloading) at the BigIP and want a header to send to your servers to indicate the original request was HTTPS. What we do for this is use a policy on the HTTPS virtual server to insert this header. Attaching the policy will cause no downtime.
ltm policy X-Forwarded-Proto { requires { client-ssl http } rules { X-Forwarded-Proto_insert { actions { 0 { http-header insert name X-Forwarded-Proto value https } } ordinal 1 } } strategy first-match }
- dw_888_212625Nimbostratus
Thanks Brad for your advice. Please advise is it necessary to implement an irule for both x-forwarded-for an x-forwarded-proto, or either 1 is enough?
- Brad_ParkerCirrus
Well you can do it with the http profile option with the policy I mentioned above(will perform better as they are built in features) or you can do it with a single iRule that will insert both.
when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] if {[PROFILE::exists clientssl] == 1}{ HTTP::header insert "X-Forwarded-Proto" "https" } }
- dw_888_212625Nimbostratus
Akamai uses True-Client-IP header to forward the website visitor IP. if we already enabled X-Forwarded-For, does this mean that F5 LTM will be able to capture and track Akamai’s client IP information?
- Brad_ParkerCirrusIf Akamai uses a different header the F5 or your back end server can track it. If you want the F5 to translate if to X-Forwarded-For you can just specify the header in the "XFF Alternative Names" property in the HTTP profile.
- dw_888_212625Nimbostratus
If we did not specify the header in the "XFF Alternative Names" property in the HTTP profile, what will F5 do when it receive this Akamai True-Client-IP header?
- Brad_ParkerCirrusIt won't do anything with the header. It will be un-affected and be sent as part of the request to the pool member.