Cisco OL-15491-01 User Manual

Page 260

Advertising
background image

A-260

Cisco Content Services Gateway - 2nd Generation Release 2.0 Installation and Configuration Guide

OL-15491-01

Appendix A CSG2 Command Reference

subscriber-ip http-header forwarded-for

To prevent exposure of potentially sensitive IP addresses, the CSG2 can obscure the contents of
X-Forwarded-For headers, overwriting the contents with blanks.

If you want to obscure the contents of the X-Forwarded-For header, enter the subscriber-ip
http-header x-forwarded-for command with the obscure keyword.

If you do not want to obscure the contents of the X-Forwarded-For header, enter the subscriber-ip
http-header x-forwarded-for command without the obscure keyword (the default setting).

When obscuring the IP address in X-Forwarded-For headers, keep the following considerations in
mind:

The CSG2 does not obscure the IP address in fragmented request packets that have
X-Forwarded-For headers, because the CSG2 does not reassemble the fragments and therefore
cannot modify the packets.

The CSG2 does not obscure the X-Forwarded-For header for traffic that is downgraded from
Layer 7 inspection to Layer 4 inspection.

If the active CSG2 fails over to the standby CSG2, the standby CSG2 does not obscure the IP
address in X-Forwarded-For header for existing HTTP sessions. However, the standby CSG2
does obscure the IP address in X-Forwarded-For headers for new HTTP sessions.

If the subscriber sends more than one GET request with X-Forwarded-For headers, and the
content host fails to send a TCP acknowledgement within five seconds, the CSG2 resets the
subscriber side connection.

Examples

The following example configures the CSG2 to obtain the subscriber's IP address from the HTTP
X-Forwarded-For header, and obscures the IP address in the X-Forwarded-For header:

ip csg content MOVIES

parse protocol http

subscriber-ip http-header x-forwarded-for obscure

Related Commands

Command

Description

ip csg content

Configures content for CSG2 services, and enters CSG2 content
configuration mode.

ip csg mode single-tp

Enables the CSG2 to use a single TP instead of multiple TPs.

parse length

Defines the maximum number of Layer 7 bytes that the CSG2 is to parse when
attempting to assign a policy.

parse protocol

Defines how the CSG2 is to parse traffic for a content.

Advertising
Popular Brands
Popular manuals