Allow X-Forwarded-For Headers to Site or No?
So, this one is new for me and I need a breakdown on it. I already Google'd about it but I want a answer from someone knowledgable in this matter.
We host multiple sites for clients. The sites are on IIS servers behind a load balancer. One of the sites we host is having issues when their customers try to access it behind a proxy. They can access it when they disable "X-Forwarded-For" option on the proxy but can't access it when they enable.
My question to you is should we enable it for these users? I ready that hackers can use that option if they breach your network and can use it to spoof the IP they came in on. So obviously for us this is a security issue.
I'm not even 100% sure where to enable this, I believe I would do it on the actual web server and not the firewall, but I need advice on the ramifications of if I do it to begin with.
We host multiple sites for clients. The sites are on IIS servers behind a load balancer. One of the sites we host is having issues when their customers try to access it behind a proxy. They can access it when they disable "X-Forwarded-For" option on the proxy but can't access it when they enable.
My question to you is should we enable it for these users? I ready that hackers can use that option if they breach your network and can use it to spoof the IP they came in on. So obviously for us this is a security issue.
I'm not even 100% sure where to enable this, I believe I would do it on the actual web server and not the firewall, but I need advice on the ramifications of if I do it to begin with.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the explanation. It was the one I was looking for.
Without understanding your situation it is hard to answer your question
Depending on your loadbalancer, you could add the X-Forwarded-FOR to the loadbalancer.
Direct access client would not care about this header entry, the proxy may benefit..
Are their proxy chained? local proxy that connects to another of their proxy at HQ which in turns contacts your loadbalaner, passing data to the IIS instance, etc.