Skip to main content
wasfi
wasfi
New Member
May 15, 2021
Question

Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods?

  • May 15, 2021
  • 1 reply
  • 4909 views

Hi;

 

Can I have the FortiGate insert an X-Forwarded-For header only if the HTTP method is GET or CONNECT. Basically I have a virtual server of type http set up with "Preserve Client IP". It is load balancing traffic originating from browsers "with explicit proxy" and destined to a couple of proxy servers. The destination port is 8080.

 

When the Fortigate inserts the X-Forwarded-For for HTTP datagrams with GET, POST, CONNECT, things work fine. However, when it inserts the XFF in datagrams encapsulating TLS content, then it inserts the XFF in the datagram's body causing it to be malformed. 

 

If I can have a simple rule that says: If the HTTP method does not exist then don't insert the XFF header.

 

Kindly

Wasfi

 

 

    1 reply

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    May 16, 2021

    Nope, VIP with load balancing does not include ability to match on request type.  onthe other hand- fortigate acts as an ssl proxy and encrypts its connection to the server with X-forwarded header already added, why does it make payload corrupt in your case ? This should not happen IMO. 

    wasfi
    wasfiAuthor
    New Member
    May 16, 2021

    in my case, the FortiGate virtual server is not doing any SSL decryption. It however, adds the XFF header in the http datagram conveying the client hello.

    Terms & ConditionsAccessibility statement