Identifying original source thought SSLi.

filipe.penido@techbiz.com.brfilipe.penido@techbiz.com.br Member
in SSLi - SSL Insight

Can the Thunder ADC 1030 with SSL Inspect to analyze traffic through a proxy informing its original source? For this configuration maybe I can use X-Forwarded-for, I`m not sure if it works.

Could someone help me?

Best Answer

  • filipe.penido@techbiz.com.brfilipe.penido@techbiz.com.br Member
    Answer ✓

    Hi oscaroller,


    Firstly, thanks for your help.

    Below the solution proposed for this issue.



    Problem Description:

       Want to include the client IP through SSLi.


    Action Items:

       This can be done by applying an HTTP template to the HTTPs virtual-server port with the option “insert-client-ip”/

    Ex:

    slb template http test

     insert-client-ip X-Forwarded-For



    slb virtual-server ssli 0.0.0.0 acl 101

     port 0 others

       service-group udp

       use-rcv-hop-for-resp

       no-dest-nat

     port 0 tcp

       service-group tcp

       use-rcv-hop-for-resp

       no-dest-nat

     port 0 udp

       service-group udp

       use-rcv-hop-for-resp

      no-dest-nat

     port 443 https

       service-group ssli

       use-rcv-hop-for-resp

       template http test

       template client-ssl ssli_cssl

       no-dest-nat port-translation


    Regards.

Answers

  • oscarolleroscaroller Member

    Hi Philip

    The ways to select the traffic that will be processed by SSLi are:

    1 -> accest-list matches the IPs / ports in the communication.

    2 -> Bypass based on IP-domains-IP-class list, URL categorization, authentication,

    You can do Bypass using the username or the AD group, which basically identifies the user behind the proxy.

    As far as I know, is´t possible use the X-For

    Attach a flow of graphics with processing.

    imagen.png

    Regards.

Sign In or Register to comment.

© Copyright 2024 - A10 Networks Community - All Rights Reserved. | Legal