rajeevsrikant
Expert
Expert

“Insert X-Forwarded-For HTTP header”

Jump to solution

I am planning to deploy NSX Load balancer in Proxy (One Arm Mode)

I will be enabling “Insert X-Forwarded-For HTTP header” to insert the original IP address of the client into the HTTP header before performing S-NAT.

I have the below questions.

1. Will this work for the https requests also or will it work only for the http request.

2. How different “Insert X-Forwarded-For HTTP header” is from enabling the transparent option.

1 Solution

Accepted Solutions
ddesmidt
VMware Employee
VMware Employee

The fact NSX-Edge LB terminates SSL means NSX-Edge LB can modify the HTTPS client request (like add XFF header).

Note: Like NSX-Edge LB can do for HTTP traffic.

The fact NSX-Edge is configured in transparent mode (= no SNAT)

(and this whatever if that's HTTP, or HTTPS Passthrough, or HTTPS END-to-End SSL, or HTTPS SSL-Offload, or whatever)

means the sce-IP client (at the layer3) will NOT be replaced by the Edge-IP => the backend server can see the real client IP@ in the source-IP@ of the traffic.

Attention: Transparent mode requires the servers default gateway to be the Edge.

Dimitri

View solution in original post

5 Replies
ddesmidt
VMware Employee
VMware Employee

X-Forwarded-For HTTP hearder (XFF) is inserted for:

  1. HTTP VIP

  2.  HTTPS VIP if the NSX LB terminates the Client HTTPS (not SSL passthrough). Note: This means you must have the application SSL certificate imported in NSX Edge.

If you have XFF enabled in the Application Profile for case1 or case2, the XFF HTTP header will be added to the request to the server.

And this whatever if you have configured your pool in transparent mode (no SNAT) or non-transparent mode (SNAT).

Dimitri

rajeevsrikant
Expert
Expert

Thanks.

2.  HTTPS VIP if the NSX LB terminates the Client HTTPS (not SSL passthrough). Note: This means you must have the application SSL certificate imported in NSX Edge.


This means that the client IP address will be carried if the NSX LB terminates the client https request.

If it is configured as Pass through the client IP will be not carried for the https request.


Let me know if my above understanding is right.

ddesmidt
VMware Employee
VMware Employee

The fact NSX-Edge LB terminates SSL means NSX-Edge LB can modify the HTTPS client request (like add XFF header).

Note: Like NSX-Edge LB can do for HTTP traffic.

The fact NSX-Edge is configured in transparent mode (= no SNAT)

(and this whatever if that's HTTP, or HTTPS Passthrough, or HTTPS END-to-End SSL, or HTTPS SSL-Offload, or whatever)

means the sce-IP client (at the layer3) will NOT be replaced by the Edge-IP => the backend server can see the real client IP@ in the source-IP@ of the traffic.

Attention: Transparent mode requires the servers default gateway to be the Edge.

Dimitri

View solution in original post

rajeevsrikant
Expert
Expert

Thanks.

VMgwbaby
Enthusiast
Enthusiast

  You explanation is very helpful. For those who are little confused about "Transparent", Dimitri is referring "Transparent" as a mode (in-line = two armed). I believe original question was related to transparent tick box on the pool, not mode.

  I do not know if transparent tick box is a requirement for in-line.

pastedImage_0.png

0 Kudos