Skip to main content

Real client IP from SSH via Reverse Proxy

Comments

3 comments

  • Dana Anderson
    Product Support

    Hello, Jason. 

    The X-FORWARDED-FOR header in HTTPS allows the firewall to keep its IP in the packet source field, but still inform Cerberus that the connection originated from a different client.  

    Unfortunately, FTP and SFTP have no such headers or standard capability to convey that the connection originated elsewhere.  It's up to the firewall/network device to use the client IP for the source port when it forwards the connection on.

    You could get the source IP for client connections for SFTP and FTPS if your device supported that option.  It's really all up to the device.  Cerberus doesn't have any control over what source IP address the proxy decides to use. 

     

     

    0
  • Jason Webb

    Hi Dana,

    Cerberus seems to be actively rejecting TCP packets with the header insertion change which would inform it of the true client IP -- so perhaps this is more of a bug or incompatibility issue with Citrix ADC specifically.

    0
  • Paul Jordan

    Jason, I created a feature request for cerberus to release a separate proxy agent, to fix a similar problem to what you are seeing. https://support.cerberusftp.com/hc/en-us/community/posts/360003390000-Cerberus-DMZ-Proxy-Agent

    1

Please sign in to leave a comment.