cancel
Showing results for 
Search instead for 
Did you mean: 
tkcc
Level 7

Add Header X-Forwarded-For

Hello,

I tried to add the X-Forwarded-For header to each request. What I did was:

Header.Add("X-Forwarded-For",IP.ToString(Client.IP))

and I removed the "HTTP(S): Remove all Hop-By-Hop headers" in the configuration.

Result: The header is still not there. When I use another name (eg. X-Forwarded-blah) the header is written exactly with X-Forwarded-blah.

My question is: What's wrong?

Regards

0 Kudos
8 Replies
McAfee Employee

Re: Add Header X-Forwarded-For

The XFF is added by default with MWG7.

How are you looking to see it exists?

~Jon

0 Kudos
tkcc
Level 7

Re: Add Header X-Forwarded-For

I was using tcpdump (dumped the complete conversation) and there is NO x-forwarded-for header to see. It it removed by the webgateway 7.

0 Kudos
McAfee Employee

Re: Add Header X-Forwarded-For

x-forwarded-for.png

Do you have any rules that remove it (click image above)?

Honestly it is on by default, and thats the only way it cannot be there. Otherwise I would suggest opening a support case and including a feedback (dont post a feedback here).

~Jon

0 Kudos
tkcc
Level 7

Re: Add Header X-Forwarded-For

no, even when I am using a global whitelist and stop the cycle right at the beginning, the x-forwarded-for header is not part of the http header. There is no rule that removes it. Is it possible to search in the policy for any rule containing the word x-forwarded-for???

Regards

0 Kudos
McAfee Employee

Re: Add Header X-Forwarded-For

There isnt a search mechanism to search for the use of an event, but it is easy enough to click show details and look at the rule events.

If you open an SR please let me know the #.

~Jon

0 Kudos
tim.skopnik
Level 7

Re: Add Header X-Forwarded-For

we are encountering the same problem here:

o xff is added correctly (even in chaining) when using http

o xff is NOT added when using https (with ssl-scanning enabled)

o we use NO rule removing this header for ssl

Any help would be great

cu. tim

0 Kudos
tim.skopnik
Level 7

Re: Add Header X-Forwarded-For

ok - waiting on the hotline i found the reason myself:

In the appliance-configuration under proxies/advanced i found the setting "HTTPS: Remove all HopByHopHeaders" - I had not expected such a setting here (expected a RULE removing the headers - but there was no such thing).

Interesting there is only a checkbox for HTTPS not for HTTP - so sending internal IPs to the WWW by HTTP is no security-problem, eh?

=> Disabled setting and added rule removing the headers (depending on destination ip)

The only difficulty now is to find the proper place for the rule as it has to be placed AFTER enabling of SSL-scanning and BEFORE any non-blocking stop-ruleset-rule.... (correct?)

cu. tim

0 Kudos
asabban
Level 17

Re: Add Header X-Forwarded-For

Hello,

I don´t think you need to find a specific place for the rule that controls the header behaviour. Important is that - at the end of the request cycle - the header is removed, otherwise it will be forwarded. If you block the request it will not leave the proxy, so it shouldn´t matter.

Best,

Andre

0 Kudos