Configuring HTTP Headers for Load Balancers, Web Application Firewalls, and Reverse Proxies

Certain functionality in the CSM Browser Client, CSM Portal, and Cherwell REST API requires knowledge of a user's fully qualified domain name (FQDN).

In the initial request, this information is provided by the "Host:" header, but web application firewalls (WAFs), load balancers, and reverse proxies typically overwrite the value of this header as they pass the request through to the web server that will ultimately service the request (upstream server).

CSM looks for two groups of headers to determine the original connection's host (FQDN) and protocol/scheme (HTTP vs. HTTPS) respectively. These follow current web standards, some of which are set by default on some of the more common WAFs and load balancers.

Connection's Host

• X-Forwarded-Host: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
• Host: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host

Connection's Protocol/Scheme

• Forwarded: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded (note that CSM only evaluates the "proto=" part of this header's value, if present)
• X-Forwarded-Proto: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

If multiple headers are present, CSM will look for the first one present, starting at the top of the lists above (that is, "X-Forwarded-Host" takes precedence over "Host").

Alternate option: Some WAFs, load balancers, and reverse proxies allow system administrators to configure the value used for the "Host:" header sent to the upstream server. This can work, but is not recommended.

We include reference to reverse proxies due to certain similarities to WAFs and load balancers. However, we recommend using a load balancer for server farms and an optional WAF; a reverse proxy is not required by CSM and is typically unnecessary and discouraged. Forward proxies are not supported.