Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Insert https x-forwarded-for

Hello all,

I have an ACE 4700 and It is balancing a web aplication using tcp ports 80 (http) and 443 (https). The configuration of ACE is in One-Arm, it means that the ACE does a NAT to client IP source address.

For requeriment legal the web aplication must to show the client IP source address in the web site, but with configurationin One-Arm only shows the IP address ACE.

Whit the next configuration I can insert into the http packet the client IP source address

!

policy-map type loadbalance first-match L7_LB_POLICY_SURA.COM.CO

  class class-default

    serverfarm sura.com.co

   insert-http X-Forwarded-For header-value "%is"

!

but that don´t work with HTTPS (443)

How do I do in HTTPS?

If I buy this licenses, Can I do this?

ACE-AP-SSL-05K-K9         

ACE-AP-SSL-07K-K9         

ACE-AP-SSL-100-K9         

ACE-AP-SSL-UP1-K9         

ACE-AP-SSLUP-5K-K9        

Thanks.

Haiver Bermon

  • Application Networking
3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Insert https x-forwarded-for

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

New Member

Re: Insert https x-forwarded-for

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

Cisco Employee

Re: Insert https x-forwarded-for

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

10 REPLIES
New Member

Re: Insert https x-forwarded-for

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

New Member

Re: Insert https x-forwarded-for

Thanks very much Jason, do you know which SSL licenses I have to use?

New Member

Re: Insert https x-forwarded-for

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

Cisco Employee

Re: Insert https x-forwarded-for

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

New Member

Re: Insert https x-forwarded-for

Hello Eric, Jason, thanks.

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

New Member

Re: Insert https x-forwarded-for

Hello Jason, thanks

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Silver

Re: Insert https x-forwarded-for

Hi,

you don't need to buy any license.

By default the ACE can do SSL Offload (1000 Transactions per Second). This means that the HTTS session is terminated at the ACE (and no longer at the server).

Take a look at following example on how to configure ssl offload:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

HTH,
Dario

New Member

Re: Insert https x-forwarded-for

Hello, everybody, thanks for help.

I probed a configuration in a context LAB and It works. I used the examples that I found in this url, http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

I have a final question. How do this configuration impact the ACE CPU?. Today the ACE has 2000 connections and the CPU level is 2%

New Member

Insert https x-forwarded-for

I have somewhat same scenario.

I offloaded the SSL on ACE to insert client ip in http. Then again encrypted the http which is getting offloaded on server. But it is not working. Is this a wrong approach?

12539
Views
14
Helpful
10
Replies
This widget could not be displayed.