Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
0
Helpful
1
Replies

X-Forward not supported by HTTP/S?

Go to solution
taralczak
Level 1
Level 1

‎05-12-2011 04:56 AM

We're trying to set up ACE as described in document ID 107399 with the goal to have the IP address of the connecting HTTP clients inserted as the "X-FORWARD" attribute in the HTTP header. With HTTP it works but with HTTP/S it doesn't. Is this feature effectively limited to unsecure HTTP clients?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎05-12-2011 05:16 AM

Hi Jan,

It is possible to insert headers/cookies into a HTTPS connection, but, to do that, the ACE needs to be able to decrypt the traffic. It's what we call end-to-end SSL termination.

There is an example on cisco.com that explains how to configure this. The example is inserting cookies, but, inserting the x-forwarded header would be equivalent. See the link below for more details:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

With this kind of configuration, the ACE will first terminate the SSL connection to decrypt the traffic, then do any kind of L7 processing (parsing the HTTP header, inserting headers or cookies, rewriting URLs...) and, once it has finished all the processing and chosen a real server to handle the connection, it will open a new SSL connection to the server and send the request encrypted again.

Please, do not hesitate to contact me again if you still have questions after going through the example.

Regards

Daniel

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎05-12-2011 05:16 AM

Hi Jan,

It is possible to insert headers/cookies into a HTTPS connection, but, to do that, the ACE needs to be able to decrypt the traffic. It's what we call end-to-end SSL termination.

There is an example on cisco.com that explains how to configure this. The example is inserting cookies, but, inserting the x-forwarded header would be equivalent. See the link below for more details:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

With this kind of configuration, the ACE will first terminate the SSL connection to decrypt the traffic, then do any kind of L7 processing (parsing the HTTP header, inserting headers or cookies, rewriting URLs...) and, once it has finished all the processing and chosen a real server to handle the connection, it will open a new SSL connection to the server and send the request encrypted again.

Please, do not hesitate to contact me again if you still have questions after going through the example.

Regards

Daniel

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card