Support User Manuals

Cisco Systems OL-15491-01 Network Hardware User Manual

Open as PDF

of 256

A-251

Cisco Content Services Gateway - 2nd Generation Release 2.0 Installation and Configuration Guide

OL-15491-01

Appendix A CSG2 Command Reference

subscriber-ip http-header forwarded-for

To prevent exposure of potentially sensitive IP addresses, the CSG2 can obscure the contents of

X-Forwarded-For headers, overwriting the contents with blanks.

• If you want to obscure the contents of the X-Forwarded-For header, enter the subscriber-ip

http-header x-forwarded-for command with the obscure keyword.

• If you do not want to obscure the contents of the X-Forwarded-For header, enter the subscriber-ip

http-header x-forwarded-for command without the obscure keyword (the default setting).

• When obscuring the IP address in X-Forwarded-For headers, keep the following considerations in

mind:

–

The CSG2 does not obscure the IP address in fragmented request packets that have

X-Forwarded-For headers, because the CSG2 does not reassemble the fragments and therefore

cannot modify the packets.

–

The CSG2 does not obscure the X-Forwarded-For header for traffic that is downgraded from

Layer 7 inspection to Layer 4 inspection.

–

If the active CSG2 fails over to the standby CSG2, the standby CSG2 does not obscure the IP

address in X-Forwarded-For header for existing HTTP sessions. However, the standby CSG2

does obscure the IP address in X-Forwarded-For headers for new HTTP sessions.

–

If the subscriber sends more than one GET request with X-Forwarded-For headers, and the

content host fails to send a TCP acknowledgement within five seconds, the CSG2 resets the

subscriber side connection.

Examples The following example configures the CSG2 to obtain the subscriber's IP address from the HTTP

X-Forwarded-For header, and obscures the IP address in the X-Forwarded-For header:

ip csg content MOVIES

parse protocol http

subscriber-ip http-header x-forwarded-for obscure

Related Commands Command Description

ip csg content Configures content for CSG2 services, and enters CSG2 content

configuration mode.

ip csg mode single-tp Enables the CSG2 to use a single TP instead of multiple TPs.

parse length Defines the maximum number of Layer 7 bytes that the CSG2 is to parse when

attempting to assign a policy.

parse protocol Defines how the CSG2 is to parse traffic for a content.

previous next