Request Header inspection for client ip

General help on how to use Cerberus. Questions on how a particular feature works, how to use feature x with feature y... Please read the "How to use this forum" article before posting.
Post Reply
kaluaabyss
New User
Posts: 7
Joined: Mon Oct 23, 2017 12:59 pm

Request Header inspection for client ip

Post by kaluaabyss » Mon Oct 23, 2017 2:26 pm

Does Cerberus inspect the header for fields like 'X-forwarded-for' in order to capture the real client IP?

In our environment, a Netscaler is acting as a reverse proxy in our DMZ. Cerberus only captures the Netscaler's SNIP instead of the real client IP. I've tried sending 'X-forwarded-for' but I don't know if Cerberus is even inspecting the header data or what field it might be looking for.

Thank you.

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: Request Header inspection for client ip

Post by pacman » Tue Oct 24, 2017 11:06 am

Yes, Cerberus looks at X-Forwarded-For header for HTTPS connection.

FTP and SFTP have no such headers or standard capability to convey that the connection originated elsewhere. It's up to the firewall to use the client IP for the source port when it forwards the connection on.

There's nothing that needs to be enabled in Cerberus for the server to take advantage of the X-Forwarded-For header.

kaluaabyss
New User
Posts: 7
Joined: Mon Oct 23, 2017 12:59 pm

Re: Request Header inspection for client ip

Post by kaluaabyss » Wed Oct 25, 2017 12:29 pm

Thanks for your reply. Good to know it should be working for HTTPS - now to figure out why it isn't.

kaluaabyss
New User
Posts: 7
Joined: Mon Oct 23, 2017 12:59 pm

Re: Request Header inspection for client ip

Post by kaluaabyss » Wed Oct 25, 2017 4:13 pm

I added a HTTP version of my configuration so I could inspect the packets easily and verified X-Forwarded-For is in the received packets. Unfortunately, the Cerberus Log is still showing the Netscaler's SNIP instead of the X-Forwarded-For IP.

Any ideas?

Thank you.

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: Request Header inspection for client ip

Post by pacman » Thu Oct 26, 2017 1:38 pm

I would make sure that you are running on the latest version of Cerberus and if so I would reach out the firewall vendor.

kaluaabyss
New User
Posts: 7
Joined: Mon Oct 23, 2017 12:59 pm

Re: Request Header inspection for client ip

Post by kaluaabyss » Thu Oct 26, 2017 2:19 pm

Thanks pacman.

My Cerberus version is 9.0.0.6 which appears to be the latest.

The actual packet received by the Cerberus server has X-Forwarded-For in it, but the Cerberus Log is not referencing it. Not sure what I could tell the reverse proxy vendor given the fact that the header is being appended properly. Perhaps I'm missing something or there is a bug in this version of Cerberus... does the case sensitivity of the header field matter in any way?

Update: I blocked my IP and verified it is processing the X-Forwarded-For properly - so it is just the Log that is not representing that information apparently.

Post Reply