Insert https x-forwarded-for

Answered Question
Feb 26th, 2010

Hello all,

I have an ACE 4700 and It is balancing a web aplication using tcp ports 80 (http) and 443 (https). The configuration of ACE is in One-Arm, it means that the ACE does a NAT to client IP source address.

For requeriment legal the web aplication must to show the client IP source address in the web site, but with configurationin One-Arm only shows the IP address ACE.

Whit the next configuration I can insert into the http packet the client IP source address

!

policy-map type loadbalance first-match L7_LB_POLICY_SURA.COM.CO

  class class-default

    serverfarm sura.com.co

   insert-http X-Forwarded-For header-value "%is"

!

but that don´t work with HTTPS (443)

How do I do in HTTPS?

If I buy this licenses, Can I do this?

ACE-AP-SSL-05K-K9         

ACE-AP-SSL-07K-K9         

ACE-AP-SSL-100-K9         

ACE-AP-SSL-UP1-K9         

ACE-AP-SSLUP-5K-K9        

Thanks.

Haiver Bermon

I have this problem too.
0 votes
Correct Answer by Eric Rose about 6 years 9 months ago

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

Correct Answer by jason.espino about 6 years 9 months ago

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

Correct Answer by jason.espino about 6 years 9 months ago

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.1 (7 ratings)
Loading.
Correct Answer
jason.espino Fri, 02/26/2010 - 14:04

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

Correct Answer
jason.espino Fri, 02/26/2010 - 16:22

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

Haiver Bermon Mon, 03/01/2010 - 09:20

Hello Eric, Jason, thanks.

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Haiver Bermon Mon, 03/01/2010 - 10:16

Hello Jason, thanks

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Haiver Bermon Tue, 03/02/2010 - 11:30

Hello, everybody, thanks for help.

I probed a configuration in a context LAB and It works. I used the examples that I found in this url, http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

I have a final question. How do this configuration impact the ACE CPU?. Today the ACE has 2000 connections and the CPU level is 2%

akhil.abrol Fri, 01/13/2012 - 04:12

I have somewhat same scenario.

I offloaded the SSL on ACE to insert client ip in http. Then again encrypted the http which is getting offloaded on server. But it is not working. Is this a wrong approach?

Borys Berlog Fri, 01/13/2012 - 07:23

Hi Akhil

It should work. There is no limitation that this traffic can't be  encrypted again. So if you decrypted and then inserted header properly  it should work.

If your config looks ok - the best way to  troubleshoot just to perform capturing and then decrypt it with private  key of the server.

I guess it'd be better if you open a new topic for your issue just not to continue some old closed topics.

Actions

This Discussion