make explict proxy use the x-forwarded-for header as a source

Question

Hello again,

It's me again with another weird question. Let's start with the objetive. There are two Fortigates on different sites, let's call "FG-A" the local and "FG-B" the remote. FG-B has explict proxy enabled, a collector, and explict proxy policies. FG-A and FG-B are connected via MPLS.

On FG-B we want to route certain traffic (Office 365, if you may) to another wan connection, and the rest must be forwarded to the explicit proxy on FG-A. My first thought was to use proxy chaining, but i have a problem: the source IP address that FG-B sees is FG-A, not the user. Ok, that's why we use X-Forwarded-For... right? I managed to add that header using a web-proxy profile, but my problem is that FG-B ignores this header.

Is there a way to make the explicit proxy use the X-Forwarded-For header to take the source IP? Or should i try something else?

TIA.

PS: Yes, i know that it's an strange solution, but we have some restraints (ie: FG-B is on an ISP, we can just add the other wan connection there).

emnoc · Answer

Can you draft a topoloy? You might want to look at proxy-PAC files and controls within. This way the client send to the proxy that you want.

examples are within this blog

http://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html

I personally hate & try to avoid proxy-chaining due to the following

1: possible outage if the chain is broke

2: via/xff overlooked, and proxy-loops

3: add more complexity imho

Proxy-Chaining is beneficial in stable network where the proxy-chain is full redundant. I 've used polipo and privoxy for this & in load-balance situation and where user-auth was not a requirement and chaining was need. It worked 100% and easy to manage the apache-like access.log was easy to parse and crunch as a side benefit.

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded