Application Delivery (ADX)

Reply
New Contributor
Posts: 3
Registered: ‎09-20-2012

CSW header rewrite to insert clientip on https but not http?

Hello All,

I have a CSW rule to match if x-forwarder-for is in the the header and if not insert client-ip. Then I also insert the protocol if it is http or https because we are doing ssl termination. The csw rule and profile look like the following:

csw-rule "csw-rule2" header "X-Forwarded-For" exists

!

csw-rule "csw-rule2-nested" nested-rule "!csw-rule2" master-rule "csw-rule2"

!

csw-policy "policy-http"

match "csw-rule2-nested" forward 1

match "csw-rule2-nested" rewrite request-insert header "X-Forwarded-Proto:http"

match "csw-rule2-nested" rewrite request-insert client-ip "X-Forwarded-For"

default forward 1

default rewrite request-insert header "X-Forwarded-Proto:http"

!

csw-policy "policy-ssl"

match "csw-rule2-nested" forward 1

match "csw-rule2-nested" rewrite request-insert header "X-Forwarded-Proto:https"

match "csw-rule2-nested" rewrite request-insert client-ip "X-Forwarded-For"

default forward 1

default rewrite request-insert header "X-Forwarded-Proto:https"

!

!

What we find is that X-Forwarded-For is added on https calls but not on http calls. This behaves as expected on calls already containing X-Forwarded-For. Adn all calls have the Proto properly added, which means the rule is working on http and https terminated calls. Everything seems right to us, are we missing something? Since X-Forwarded-Proto:http is added I would assume that the client IP should be added also. We are running ver  12.4.00gT403.

Thanks

Highlighted
Contributor
Posts: 47
Registered: ‎07-14-2010

Re: CSW header rewrite to insert clientip on https but not http?

Hi,

In case of SSL, proxy server may not add "X-Forwarded-For" because traffic is encrypted and cache server will just http's forward in L3. Then, when your traffic reaches to ServerIron ADX, "X-Forwarded-For" is not set and your csw-policy seems to work. I think HTTPS traffic may not include X-Forwarded-For in most cases although it is true there is a proxy server that can cache and offload ssl traffic.

In case of HTTP, there may be one or more proxy server between client and ADX VIP. It may happen where multiple "X-Forwarded-For" is inserted based on each proxy server that the packet traversed. When ADX receives traffic that Forwarded-For" is already set, ADX needs to add as a new or similar named HTTP header otherwise ADX will do nothing. I.e. If "X-Forwarded-For" is already set, ADX will not modify it and send it as is. Depending on implementation, client-ip is added in following manner. When I did the same thing with you 3 years ago with ADX, the IP address was added in comma papareted. But, now ADX does not behave like that. Or maybe apache's log just formatted as comma separated for the same http header. Don't remember this.

X-Forwarded-For: 172.168.0.222, 3.3.3.3, 2.2.2.2

Anyway, I understand your requirement is to add client-ip with or without existing "X-Forwarded-For" header. Since the nested rule makes me my mind nested, I would simply use "url exists" csw-rule. This rule is "catch all" rule and with this we can eliminate the requirement for configuring default rule (it is okay not to use default rule) . I tested and it worked fine from my point of view. I showed how I tested and confirmed. Please check and if you have problems, please copy & paste similar logs that I showed here.

-----------------

csw-rule "csw-rule1" url exists

csw-policy "policy-http"

match "csw-rule1" forward 1

match "csw-rule1" rewrite request-insert header "X-Forwarded-Proto:http"

match "csw-rule1" rewrite request-insert client-ip "X-Forwarded-For"

!

csw-policy "policy-ssl"

match "csw-rule1" forward 1

match "csw-rule1" rewrite request-insert header "X-Forwarded-Proto:https"

match "csw-rule1" rewrite request-insert client-ip "X-Forwarded-For"

-----------------

TEST

### Client side

root@ub00:~# curl -k http://140.1.1.1/

### eth3 ###

root@ub00:~# curl -k http://140.1.1.1 -H "X-Forwarded-For: 2.2.2.2"

### eth3 ###

\

root@ub00:~# curl -k https://140.1.1.1/                            

### eth3 ###

root@ub00:~# curl -k https://140.1.1.1 -H "X-Forwarded-For: 3.3.3.3"

### eth3 ###

### server side

root@ub00:~# tshark -nni eth1 host 172.168.0.222 -V  | grep X-Forwarde

    X-Forwarded-For: 172.168.0.222\r\n

    X-Forwarded-Proto:http\r\n

    X-Forwarded-For: 172.168.0.222\r\n

    X-Forwarded-Proto:http\r\n

    X-Forwarded-For: 2.2.2.2\r\n

    X-Forwarded-For: 172.168.0.222\r\n

    X-Forwarded-Proto:https\r\n

    X-Forwarded-For: 172.168.0.222\r\n

    X-Forwarded-Proto:https\r\n

    X-Forwarded-For: 3.3.3.3\r\n

Thanks.

//Kono

New Contributor
Posts: 3
Registered: ‎09-20-2012

Re: CSW header rewrite to insert clientip on https but not http?

Hello Kono,

Thanks for your reply, however this did not  seem to work at first then I realized the issue. We use nginx, and nginx only respects that last X-Fordwarded-For header field on any request. This is why we attempted to write a rule that would insert X-Forwarded-For only if it was not already in the header. So this answer is both correct yet incorrect for our platform. I can send examples if you need, but basically the last X-Forwarded-For in the header is the one nginx uses.

Any idea how to get the only insert if it does not exist working?

Thanks

New Contributor
Posts: 3
Registered: ‎09-20-2012

Re: CSW header rewrite to insert clientip on https but not http?

And we are pushing a new build of nginx to our test config to see if this is resolved there. I will update the thread.

Thanks

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: CSW header rewrite to insert clientip on https but not http?

Hi Dalec-san,

>Any idea how to get the only insert if it does not exist working?

What about configuration below and I think 1 through 3 are what you want.

1. ADX receives http/https request.

2. if "X-Forwarded-For" exists, just add "X-Forwarded-Proto" header and forward.

3. If not, add "X-Forwarded-For", "X-Forwarded-Proto" header, and forward.

------------

csw-rule "csw-rule1" header "X-Forwarded-For" exists

csw-rule "csw-rule2" url exists

csw-policy "policy-http"

match "csw-rule1" forward 1

match "csw-rule1" rewrite request-insert header "X-Forwarded-Proto: http"

match "csw-rule2" forward 1

match "csw-rule2" rewrite request-insert header "X-Forwarded-Proto: http"

match "csw-rule2" rewrite request-insert client-ip "X-Forwarded-For"

csw-policy "policy-ssl"

match "csw-rule1" forward 1

match "csw-rule1" rewrite request-insert header "X-Forwarded-Proto: https"

match "csw-rule2" forward 1

match "csw-rule2" rewrite request-insert header "X-Forwarded-Proto: https"

match "csw-rule2" rewrite request-insert client-ip "X-Forwarded-For"

------------

I personally think that if "X-Forwarded-For" already exists, ADX should add IP address in a comma separated manner instead of adding new "X-Forwarded-For" header and see twice the same header. I think seeing exactly the same header twice may be out of HTTP standards. In case of below, 172.27.1.222 is the most HTTP client side IP and 192.168.112.1 next.

X-Forwarded-For: 172.27.1.222, 192.168.112.1

Anyway, when CSW configuration above does not meet your requirement, it's time to write open-script ! Please let me know if we need to write open-script for you. Either I or other professionals will assist you in writing open-script.

http://community.brocade.com/community/discuss/openscript

http://community.brocade.com/docs/DOC-3198

Thanks.

//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook