topic Insert https x-forwarded-for in Application Networking

Insert https x-forwarded-for

Haiver Bermon — Fri, 26 Feb 2010 20:35:08 GMT

Hello all,

I have an ACE 4700 and It is balancing a web aplication using tcp ports 80 (http) and 443 (https). The configuration of ACE is in One-Arm, it means that the ACE does a NAT to client IP source address.

For requeriment legal the web aplication must to show the client IP source address in the web site, but with configurationin One-Arm only shows the IP address ACE.

Whit the next configuration I can insert into the http packet the client IP source address

policy-map type loadbalance first-match L7_LB_POLICY_SURA.COM.CO

class class-default

serverfarm sura.com.co

insert-http X-Forwarded-For header-value "%is"

but that don´t work with HTTPS (443)

How do I do in HTTPS?

If I buy this licenses, Can I do this?

ACE-AP-SSL-05K-K9

ACE-AP-SSL-07K-K9

ACE-AP-SSL-100-K9

ACE-AP-SSL-UP1-K9

ACE-AP-SSLUP-5K-K9

Thanks.

Haiver Bermon

Re: Insert https x-forwarded-for

jason.espino — Fri, 26 Feb 2010 22:04:08 GMT

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet. HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

Re: Insert https x-forwarded-for

Haiver Bermon — Fri, 26 Feb 2010 23:37:42 GMT

Thanks very much Jason, do you know which SSL licenses I have to use?

Re: Insert https x-forwarded-for

jason.espino — Sat, 27 Feb 2010 00:22:18 GMT

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

Re: Insert https x-forwarded-for

Eric Rose — Mon, 01 Mar 2010 14:55:51 GMT

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

Re: Insert https x-forwarded-for

Haiver Bermon — Mon, 01 Mar 2010 17:20:52 GMT

Hello Eric, Jason, thanks.

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Re: Insert https x-forwarded-for

Haiver Bermon — Mon, 01 Mar 2010 18:16:59 GMT

Hello Jason, thanks

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Re: Insert https x-forwarded-for

dario.didio — Tue, 02 Mar 2010 09:14:20 GMT

Hi,

you don't need to buy any license.

By default the ACE can do SSL Offload (1000 Transactions per Second). This means that the HTTS session is terminated at the ACE (and no longer at the server).

Take a look at following example on how to configure ssl offload:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

HTH,
Dario

Re: Insert https x-forwarded-for

Haiver Bermon — Tue, 02 Mar 2010 19:30:19 GMT

Hello, everybody, thanks for help.

I probed a configuration in a context LAB and It works. I used the examples that I found in this url, http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

I have a final question. How do this configuration impact the ACE CPU?. Today the ACE has 2000 connections and the CPU level is 2%

Insert https x-forwarded-for

akhil.abrol — Fri, 13 Jan 2012 12:12:06 GMT

I have somewhat same scenario.

I offloaded the SSL on ACE to insert client ip in http. Then again encrypted the http which is getting offloaded on server. But it is not working. Is this a wrong approach?

Insert https x-forwarded-for

Borys Berlog — Fri, 13 Jan 2012 15:23:52 GMT

Hi Akhil

It should work. There is no limitation that this traffic can't be encrypted again. So if you decrypted and then inserted header properly it should work.

If your config looks ok - the best way to troubleshoot just to perform capturing and then decrypt it with private key of the server.

I guess it'd be better if you open a new topic for your issue just not to continue some old closed topics.