Forum Discussion
hooleylist
Dec 04, 2009Cirrostratus
A client wouldn't include a response header in a subsequent request, so the only time that header would exist is if the client injected it. You might actually want to remove any prior instance to ensure a malicious client couldn't forge the header.
If the VIP is defined on port 0, you might also want to drop any non-80 or non-443 traffic. You can also do the check once in CLIENT_ACCEPTED instead of on each HTTP request:
when CLIENT_ACCEPTED {
Check the requested port
switch [TCP::local_port] {
80 {
set proto http
}
443 {
set proto https
}
default {
Drop the request
drop
}
}
}
when HTTP_REQUEST {
Replace the X-Forwarded-Proto header if it exists
If it does not exist, a new instance will be inserted
HTTP::header replace X-Forwarded-Proto $proto
}
Aaron