I tried to add the X-Forwarded-For header to each request. What I did was:
and I removed the "HTTP(S): Remove all Hop-By-Hop headers" in the configuration.
Result: The header is still not there. When I use another name (eg. X-Forwarded-blah) the header is written exactly with X-Forwarded-blah.
My question is: What's wrong?
Do you have any rules that remove it (click image above)?
Honestly it is on by default, and thats the only way it cannot be there. Otherwise I would suggest opening a support case and including a feedback (dont post a feedback here).
no, even when I am using a global whitelist and stop the cycle right at the beginning, the x-forwarded-for header is not part of the http header. There is no rule that removes it. Is it possible to search in the policy for any rule containing the word x-forwarded-for???
There isnt a search mechanism to search for the use of an event, but it is easy enough to click show details and look at the rule events.
If you open an SR please let me know the #.
we are encountering the same problem here:
o xff is added correctly (even in chaining) when using http
o xff is NOT added when using https (with ssl-scanning enabled)
o we use NO rule removing this header for ssl
Any help would be great
ok - waiting on the hotline i found the reason myself:
In the appliance-configuration under proxies/advanced i found the setting "HTTPS: Remove all HopByHopHeaders" - I had not expected such a setting here (expected a RULE removing the headers - but there was no such thing).
Interesting there is only a checkbox for HTTPS not for HTTP - so sending internal IPs to the WWW by HTTP is no security-problem, eh?
=> Disabled setting and added rule removing the headers (depending on destination ip)
The only difficulty now is to find the proper place for the rule as it has to be placed AFTER enabling of SSL-scanning and BEFORE any non-blocking stop-ruleset-rule.... (correct?)
I don´t think you need to find a specific place for the rule that controls the header behaviour. Important is that - at the end of the request cycle - the header is removed, otherwise it will be forwarded. If you block the request it will not leave the proxy, so it shouldn´t matter.