PingAuthorize

Configuring traffic through a load balancer

Use dsconfig or the administrative console to configure PingAuthorize Server to get traffic through a load balancer and to record the actual client’s IP address.

To record the actual client’s IP address to the trace log, enable X-Forwarded-* handling in both the intermediate HTTP server and the PingAuthorize Server.

By default, when a PingAuthorize Server is sitting behind an intermediate HTTP server, such as a load balancer, a reverse proxy, or a cache, it logs incoming requests as originating with the intermediate HTTP server instead of the client that sent the request.

When you set the use-forwarded-headers property and enable an HTTP connection handler to use Forwarded or X-Forwarded-* headers, many intermediate HTTP servers add information about the original request that would otherwise be lost.

If use-forwarded-headers is set to true, the server uses the client IP address and port information in the Forwarded or X-Forwarded-* headers instead of the address and port of the entity that’s sending the request (the load balancer). This client address information shows up in logs, such as in the from field of the HTTP REQUEST and HTTP RESPONSE messages.

If both the Forwarded and X-Forwarded-* headers are included in the request, the Forwarded header takes precedence. The X-Forwarded-Prefix header only overrides the context path for HTTP servlet extensions, not for web application extensions.

Dsconfig

Configuring traffic through a load balancer using dsconfig

Steps

  1. Edit the HTTP or HTTPS connection handler object and set use-forwarded-headers to true by running dsconfig.

    Example:

    dsconfig set-connection-handler-prop \
        --handler-name "HTTPS Connection Handler" \
        --set use-forwarded-headers:true
  2. To finalize the changes to the HTTP or HTTPS connection handler, use dsconfig to restart the connection handler.

    Example:

    dsconfig set-connection-handler-prop \
        --handler-name "HTTPS Connection Handler" \
        --set enabled:false
    
    dsconfig set-connection-handler-prop \
        --handler-name "HTTPS Connection Handler" \
        --set enabled:true
  3. To provide the X-Forwarded-* information to your load balancer, consult your provider’s guide on configuring load balancer settings.

Administrative console

Configuring traffic through a load balancer using the administrative console

Steps

  1. On the PingAuthorize administrative console Configuration page, click Connection Handlers.

  2. To edit your HTTP or HTTPS connection handler, in the Connection Handlers list, select the connection handler you want to edit.

  3. To enable Forwarded headers, go to Use Forwarded Headers and select the Enabled check box.

  4. Click Save.

  5. To finalize the changes to the HTTP or HTTPS connection handler, use dsconfig to restart the connection handler.

Example:

dsconfig set-connection-handler-prop \
    --handler-name "HTTPS Connection Handler" \
    --set enabled:false

dsconfig set-connection-handler-prop \
    --handler-name "HTTPS Connection Handler" \
    --set enabled:true

Because disabling the connection handler brings down the administrative console, you must complete this step in the command line instead of the administrative console.

  1. To provide the X-Forwarded-* information to your load balancer, consult your provider’s guide on configuring load balancer settings.