designetwork(EN)

IT technical memo of networking

Setting to add X-Forwarded-Proto in BIG-IP

f:id:daichi703n:20170514162355p:plain

When load balancing HTTP/S with F5 BIG-IP, make S-NAT and add X-Forwarded-Proto, X-Forwarded-For HTTP header.

The setting method of this time is based on the information of this discussion.

devcentral.f5.com

Verification configuration

Verification version: F5 BIG-IP VE 13.0.0 (Build 0.0.1645)

f:id:daichi703n:20170514162414p:plain

Launch Web server (Rails) on MacBook and access itself from Web browser (Chrome) via BIG-IP’s Virtual Server. At this time, S-NAT is activated so that communication can be performed normally.

Setup and operation confirmation

The basic setting is as follows. Create Node and Pool for Rails, create Virtual Server and allocate it. For testing with normal HTTP, the type (Type) uses Performance (HTTP).

f:id:daichi703n:20170514164330p:plain

Packets are here.

f:id:daichi703n:20170514164404p:plain

The IP address is as follows. Since capture is acquired by PC, you can see packets of Client (Chrome) -> Virtual Server, S-NAT -> Server (Rails) .

Client: 192.168.1.102
Server: 192.168.1.102
Vertual Server: 192.168.1.91
S-NAT Address: 192.168.1.8

Neither X-Forwarded-Proto (XFP), X-Forwarded-For (XFF) is given.

X-Forwarded-Proto, X-Forwarded-For

Create Profile to add XFF, XFP to HTTP header.

Local Traffic > Profiles > Protocols > Fast HTTP

f:id:daichi703n:20170514164928p:plain

In the HTTP related setting field, set it as Insert X-Forwarded-For: Enabled,Request Header Insert: X-Forwarded-Proto: http.

f:id:daichi703n:20170514165706p:plain

Apply the created profile to Virtual Server.

f:id:daichi703n:20170514165855p:plain

After application, the connection may remain, so clear it with Node Offline / Online etc. as necessary.

When HTTP access is done again, X-Forwarded-For, X-Forwarded-Proto has been added to the HTTP header as follows.

f:id:daichi703n:20170514165913p:plain

Changes applied profile for HTTPS

The above describes the application method in performance (http). When applying with HTTPS (SSL) or the like, the profile to be used can be set in the same rule.

When using a normal HTTP profile, the location is different, but similarly set the XFP header with Request Header Insert .

f:id:daichi703n:20170514170156p:plain

Adding X-Forwarded-Port?

In addition to X-Forwarded-Proto, there may be cases where you want to grant X-Forwarded-Port. Unfortunately, we need to specify this in iRules.

devcentral.f5.com

Even if variables are specified in the GUI, they are not expanded and information can not be acquired dynamically.

Conclusion - Setting to give X-Forwarded-Proto in BIG-IP

By creating an HTTP profile, X-Forwarded-Proto was added to the HTTP header in the S-NAT environment. If you wish to add X-Forwarded-Port , you need to use iRules.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork