8 Replies Latest reply on Oct 25, 2012 9:02 AM by asabban

    Add Header X-Forwarded-For

      Hello,

       

      I tried to add the X-Forwarded-For header to each request. What I did was:

       

      Header.Add("X-Forwarded-For",IP.ToString(Client.IP))

       

      and I removed the "HTTP(S): Remove all Hop-By-Hop headers" in the configuration.

       

      Result: The header is still not there. When I use another name (eg. X-Forwarded-blah) the header is written exactly with X-Forwarded-blah.

       

      My question is: What's wrong?

       

      Regards

        • 1. Re: Add Header X-Forwarded-For
          Jon Scholten

          The XFF is added by default with MWG7.

           

          How are you looking to see it exists?

           

          ~Jon

          • 2. Re: Add Header X-Forwarded-For

            I was using tcpdump (dumped the complete conversation) and there is NO x-forwarded-for header to see. It it removed by the webgateway 7.

            • 3. Re: Add Header X-Forwarded-For
              Jon Scholten

              x-forwarded-for.png

               

              Do you have any rules that remove it (click image above)?

               

              Honestly it is on by default, and thats the only way it cannot be there. Otherwise I would suggest opening a support case and including a feedback (dont post a feedback here).

               

              ~Jon

              • 4. Re: Add Header X-Forwarded-For

                no, even when I am using a global whitelist and stop the cycle right at the beginning, the x-forwarded-for header is not part of the http header. There is no rule that removes it. Is it possible to search in the policy for any rule containing the word x-forwarded-for???

                 

                Regards

                • 5. Re: Add Header X-Forwarded-For
                  Jon Scholten

                  There isnt a search mechanism to search for the use of an event, but it is easy enough to click show details and look at the rule events.

                   

                  If you open an SR please let me know the #.

                   

                  ~Jon

                  • 6. Re: Add Header X-Forwarded-For
                    tim.skopnik

                    we are encountering the same problem here:

                    o xff is added correctly (even in chaining) when using http

                    o xff is NOT added when using https (with ssl-scanning enabled)

                    o we use NO rule removing this header for ssl

                     

                    Any help would be great

                     

                    cu. tim

                    • 7. Re: Add Header X-Forwarded-For
                      tim.skopnik

                      ok - waiting on the hotline i found the reason myself:

                      In the appliance-configuration under proxies/advanced i found the setting "HTTPS: Remove all HopByHopHeaders" - I had not expected such a setting here (expected a RULE removing the headers - but there was no such thing).

                      Interesting there is only a checkbox for HTTPS not for HTTP - so sending internal IPs to the WWW by HTTP is no security-problem, eh?

                       

                      => Disabled setting and added rule removing the headers (depending on destination ip)

                       

                      The only difficulty now is to find the proper place for the rule as it has to be placed AFTER enabling of SSL-scanning and BEFORE any non-blocking stop-ruleset-rule.... (correct?)

                       

                      cu. tim

                      • 8. Re: Add Header X-Forwarded-For
                        asabban

                        Hello,

                         

                        I don´t think you need to find a specific place for the rule that controls the header behaviour. Important is that - at the end of the request cycle - the header is removed, otherwise it will be forwarded. If you block the request it will not leave the proxy, so it shouldn´t matter.

                         

                        Best,

                        Andre