Add HTTP Headers

0

I already have X-Forwarded-For (No Via) added to my Exchange VIP.

Per this link, I've added fields to IIS to determine TLS version and ciphers used in connections in a effort to determine what may be connecting via TLS 1.0:  New IIS functionality to help identify weak TLS usage - Microsoft Security

How can I add the headers to the VIP so that they appear on traffic coming through the Kemp?  The headers do word, as I see the data on connections that are not going through the Kemp.

5 comments

Avatar
Brian Morich Official comment

This can be achieved by enabling Add Received Cipher Name under "SSL Properties"

After that the following headers can be added to IIS logging as a custom field, the same way we would add the X-Forwarded-For header.

  • X-SSL-Cipher
  • X-SSL-Protocol
  • X-SSL-Serialid
  • X-SSL-ClientSerialid
  • X-SSL-SNIHost

https://support.kemptechnologies.com/hc/en-us/articles/360002861712-Adding-The-X-Forwarded-For-Header-and-Configuring-IIS-Logging

 

Avatar
0
Nick Smylie

Hi Mark,

In .52 released we added a new functionality, 'Add Received Cipher Name'.  When enabled it adds headers to the backend connection to the RS.

SSL Information in Client Request Headers

  • A new check box, Add Received Cipher Name, has been added to the SSL Properties section for HTTP/HTTPS Virtual Services. This option is disabled by default which means there is no change from the behavior in previous releases. When this option is enabled, the LoadMaster adds the following headers:
    • X-SSL-Cipher
    • X-SSL-Protocol
    • X-SSL-Serialid
    • X-SSL-ClientSerialid
    • X-SSL-SNIHost

Full link below to our release notes.  It does not add all the headers but it will add the cipher and TLS version which correlate to the article you linked.

We can add those headers manually but it will not do much as their will not be a value in them.  What you could do is add these headers to your IIS logs similar to how you added the X-Forwarded-For header.  Let us know how this works out.

https://support.kemptechnologies.com/hc/en-us/articles/360048672752-LoadMaster-7-2-52-0-Release-Notes

 

Avatar
0
mark.puchalski

Great - looks like what I need.  

My VIP for Exchange does not re-encrypt.  Is that an issue?  I've enabled the 'add received cipher name' and modified the IIS config file.  I see the fields on connections that do not go through the VIP, but nothing for those that do use the VIP.

Avatar
0
Nick Smylie

Hi Mark,

No issue with that.  I will say most customers do re-encrypt though as they do not like port 80 traffic to the RS.  Even though it usually does not matter since it is a reverse proxy setup(two separate connections, front end and back end).

As for your second statement.  You see the headers/fields on your IIS logs or in a pcap?  If you see it on connections NOT through the VIP it sounds like its not going through the LM at all.  The ones going through the VIP, not sure, would need to look at your config.  May be best to take this through a ticket.  I will open one up for you.

Avatar
0
manuelbrooks5.0

The recommendation is was to start their name with "X-". E.g. X-Forwarded-For, X-Requested-With. This is also mentioned in a.o. section 5 of RFC 2047.

On June 2011, the first IETF draft was posted to deprecate the recommendation of using the "X-" prefix for non-standard headers. The reason is that when non-standard headers prefixed with "X-" become standard, removing the "X-" prefix breaks backwards compatibility, forcing application protocols to support both names (E.g, x-gzip & gzip are now equivalent). So, the official recommendation is to just name them sensibly without the "X-" prefix.