VMware NSX

  • 1.  “Insert X-Forwarded-For HTTP header”

    Posted Jan 05, 2017 09:23 AM

    I am planning to deploy NSX Load balancer in Proxy (One Arm Mode)

    I will be enabling “Insert X-Forwarded-For HTTP header” to insert the original IP address of the client into the HTTP header before performing S-NAT.

    I have the below questions.

    1. Will this work for the https requests also or will it work only for the http request.

    2. How different “Insert X-Forwarded-For HTTP header” is from enabling the transparent option.



  • 2.  RE: “Insert X-Forwarded-For HTTP header”

    Broadcom Employee
    Posted Jan 05, 2017 09:52 AM

    X-Forwarded-For HTTP hearder (XFF) is inserted for:

      1. HTTP VIP

      2.  HTTPS VIP if the NSX LB terminates the Client HTTPS (not SSL passthrough). Note: This means you must have the application SSL certificate imported in NSX Edge.

    If you have XFF enabled in the Application Profile for case1 or case2, the XFF HTTP header will be added to the request to the server.

    And this whatever if you have configured your pool in transparent mode (no SNAT) or non-transparent mode (SNAT).

    Dimitri



  • 3.  RE: “Insert X-Forwarded-For HTTP header”

    Posted Jan 06, 2017 10:20 AM

    Thanks.

    2.  HTTPS VIP if the NSX LB terminates the Client HTTPS (not SSL passthrough). Note: This means you must have the application SSL certificate imported in NSX Edge.


    This means that the client IP address will be carried if the NSX LB terminates the client https request.

    If it is configured as Pass through the client IP will be not carried for the https request.


    Let me know if my above understanding is right.



  • 4.  RE: “Insert X-Forwarded-For HTTP header”
    Best Answer

    Broadcom Employee
    Posted Jan 06, 2017 10:34 AM

    The fact NSX-Edge LB terminates SSL means NSX-Edge LB can modify the HTTPS client request (like add XFF header).

    Note: Like NSX-Edge LB can do for HTTP traffic.

    The fact NSX-Edge is configured in transparent mode (= no SNAT)

    (and this whatever if that's HTTP, or HTTPS Passthrough, or HTTPS END-to-End SSL, or HTTPS SSL-Offload, or whatever)

    means the sce-IP client (at the layer3) will NOT be replaced by the Edge-IP => the backend server can see the real client IP@ in the source-IP@ of the traffic.

    Attention: Transparent mode requires the servers default gateway to be the Edge.

    Dimitri



  • 5.  RE: “Insert X-Forwarded-For HTTP header”

    Posted Jan 06, 2017 10:52 AM

    Thanks.



  • 6.  RE: “Insert X-Forwarded-For HTTP header”

    Posted Jul 14, 2018 01:40 PM

      You explanation is very helpful. For those who are little confused about "Transparent", Dimitri is referring "Transparent" as a mode (in-line = two armed). I believe original question was related to transparent tick box on the pool, not mode.

      I do not know if transparent tick box is a requirement for in-line.