Page 1 of 1

Request Header inspection for client ip

Posted: Mon Oct 23, 2017 2:26 pm
by kaluaabyss
Does Cerberus inspect the header for fields like 'X-forwarded-for' in order to capture the real client IP?

In our environment, a Netscaler is acting as a reverse proxy in our DMZ. Cerberus only captures the Netscaler's SNIP instead of the real client IP. I've tried sending 'X-forwarded-for' but I don't know if Cerberus is even inspecting the header data or what field it might be looking for.

Thank you.

Re: Request Header inspection for client ip

Posted: Tue Oct 24, 2017 11:06 am
by pacman
Yes, Cerberus looks at X-Forwarded-For header for HTTPS connection.

FTP and SFTP have no such headers or standard capability to convey that the connection originated elsewhere. It's up to the firewall to use the client IP for the source port when it forwards the connection on.

There's nothing that needs to be enabled in Cerberus for the server to take advantage of the X-Forwarded-For header.

Re: Request Header inspection for client ip

Posted: Wed Oct 25, 2017 12:29 pm
by kaluaabyss
Thanks for your reply. Good to know it should be working for HTTPS - now to figure out why it isn't.

Re: Request Header inspection for client ip

Posted: Wed Oct 25, 2017 4:13 pm
by kaluaabyss
I added a HTTP version of my configuration so I could inspect the packets easily and verified X-Forwarded-For is in the received packets. Unfortunately, the Cerberus Log is still showing the Netscaler's SNIP instead of the X-Forwarded-For IP.

Any ideas?

Thank you.

Re: Request Header inspection for client ip

Posted: Thu Oct 26, 2017 1:38 pm
by pacman
I would make sure that you are running on the latest version of Cerberus and if so I would reach out the firewall vendor.

Re: Request Header inspection for client ip

Posted: Thu Oct 26, 2017 2:19 pm
by kaluaabyss
Thanks pacman.

My Cerberus version is 9.0.0.6 which appears to be the latest.

The actual packet received by the Cerberus server has X-Forwarded-For in it, but the Cerberus Log is not referencing it. Not sure what I could tell the reverse proxy vendor given the fact that the header is being appended properly. Perhaps I'm missing something or there is a bug in this version of Cerberus... does the case sensitivity of the header field matter in any way?

Update: I blocked my IP and verified it is processing the X-Forwarded-For properly - so it is just the Log that is not representing that information apparently.