Preserving IP Addresses with SSL Forwarding

When the Traffic Manager forwards HTTP requests, it can optionally insert a header named X-Forwarded-For into the request so that downstream servers can determine the correct source IP address of the request. If the Traffic Manager decrypts an HTTPS request, it can also insert the X-Forwarded-For header into the request, even if it then re-encrypts the request.

However, if the Traffic Manager forwards an SSL request without decrypting and re-encrypting it, it cannot modify the data inside. This configuration is used with a loopback virtual server, whereby the connections are load-balanced across a cluster of Traffic Manager systems for decryption. In this case, you may use the ssl_enhance setting in the pool to add a proprietary header to the SSL connection that contains key connection data that is not preserved, i.e. source IP and port and destination IP and port.

The Traffic Manager system that receives the “enhanced” SSL connection must be configured with the ssl_trust_magic setting in the SSL decryption settings of the virtual servers. This setting will cause the Traffic Manager to strip out the proprietary header, and recognize the correct connection data – source IP and port, and destination IP and port.