x-forwarded-for-client-cert heade is not passed to backend by HTTP application load balancer

I have global external Application Load Balancer setup as below

client → External proxy (mTLS enabled) → GCP global external Application Load Balancer (HTTPS) → External Origin server

When external proxy forwarded x-forwarded-for-client-cert as a result of mTLS authentication, it is not passed to External Origin server by GCP load balancer.

To isolate the problem to GCP load balancer I did the below:

(1) Send traffic from client to GCP Load balancer directly with header x-forwarded-for-client-cert and validated the headers in receiver side and it didn’t include x-forwarded-for-client-cert

(2) Bypass GCP Load balancer in the traffic path and x-forwarded-for-client-cert is received by origin server as expected

Could someone help me understand how to get this working?

Hi @sba_gcomm ,

Welcome to Google Cloud Community!

While HTTPS load balancers currently face a limitation in forwarding certificates to back-end servers, there are workarounds you can implement:

• Passthrough load balancers are recommended to use if you need to forward original client packets to the backends un-proxied.
• SSL Load Balancer is a proxy load balancer that can be set up to manage either TCP or SSL traffic by utilizing a target TCP proxy or a target SSL proxy, depending on the case.
• Global Load Balancers are typically used when your backend services are spread across various regions.

I hope the above information is helpful.