search cancel

How to Use the X-Forwarded-For Header from the CONNECT Request to Apply Policy to HTTPS Traffic

book

Article ID: 172984

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Some networks have a network device, such as a child proxy or load balancer, that performs Network Address Translation (NAT) on traffic behind it, making the client IP impossible to use for policy. In some configurations, the device adds an X-Forwarded-For HTTP header that contains the original client IP, but the device does not decrypt SSL traffic to insert the X-Forwarded-For header into all requests. This makes it difficult to make policy solely on the X-Forwarded-For header. 

Environment

  • Network device such as a load balancer or child proxy NATs the client IP address of HTTP/HTTPS traffic
  • Network device inserts original client IP address into the X-Forwarded-For header of HTTP transactions
  • Network device initiates HTTP CONNECT request to ProxySG

Resolution

The solution is to use the Effective Client IP object.

Open up the Visual Policy Manager (Management Console> Configuration > Policy > Visual Policy Manager > Launch), and from the Visual Policy Manager (VPM):

 

1) Create a Web Access Layer and move it to before the other Web Layers you want to apply policy to. Create a new rule, right click on Service, and select Set.

2) Select New

3) Then select Client Protocol


4) Select HTTP from the top drop down menu
5) Select All HTTP from the bottom drop down menu
6) Select OK


7) You should now be in the first pop up menu, and see an new object called 'All HTTP', Select this and 
8) Select OK, you should now have All HTTP as the Service for this rule


9) Right click on Action, and select Set
10) On the menu that pops up, select New
11) Select 'Set Effective Client IP'


12) From the drop down on the following pop up, select $(request.header.X-Forwarded-For)
13) Select Add
14) Select OK

You should now see a rule that sets the Effective Client IP as the X-Forwarded-For header for all HTTP traffic

15) In a new or existing layer, select a rule you want to be triggered by the effective client ip, right click, and select Set
16) Select New
17) Select Client IP Address/Subnet


18) On the following menu, type in the effective client ip you want
19) Select 'Look up effective client IP (if configured)
20) Click Add


Use this object as the Source for your rule, and adjust other rules as necessary


21) Install Policy

Attachments