Identifying original source thought SSLi.

Can the Thunder ADC 1030 with SSL Inspect to analyze traffic through a proxy informing its original source? For this configuration maybe I can use X-Forwarded-for, I`m not sure if it works.

Could someone help me?

Best Answer

  • filipe.penido@techbiz.com.br[email protected] Member
    Accepted Answer

    Hi oscaroller,


    Firstly, thanks for your help.

    Below the solution proposed for this issue.



    Problem Description:

       Want to include the client IP through SSLi.


    Action Items:

       This can be done by applying an HTTP template to the HTTPs virtual-server port with the option “insert-client-ip”/

    Ex:

    slb template http test

     insert-client-ip X-Forwarded-For



    slb virtual-server ssli 0.0.0.0 acl 101

     port 0 others

       service-group udp

       use-rcv-hop-for-resp

       no-dest-nat

     port 0 tcp

       service-group tcp

       use-rcv-hop-for-resp

       no-dest-nat

     port 0 udp

       service-group udp

       use-rcv-hop-for-resp

      no-dest-nat

     port 443 https

       service-group ssli

       use-rcv-hop-for-resp

       template http test

       template client-ssl ssli_cssl

       no-dest-nat port-translation


    Regards.

Answers

  • Hi Philip

    The ways to select the traffic that will be processed by SSLi are:

    1 -> accest-list matches the IPs / ports in the communication.

    2 -> Bypass based on IP-domains-IP-class list, URL categorization, authentication,

    You can do Bypass using the username or the AD group, which basically identifies the user behind the proxy.

    As far as I know, is´t possible use the X-For

    Attach a flow of graphics with processing.

    Regards.

Sign In or Register to comment.