Forum Discussion
sgnormo
Cirrus
CirrusC3D and header insert
Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module. Since the customers backend requires a user certificate I explained to the user the...
If I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.
sgnormoCirrus
CirrusThe attached file shows the two solution scenarios presented to the customer. I did present the F5 performing a header insert and then their Apache server would take the user certificate out and then pass the user certificate to Oracle. I explained to them that their Apache server should not send a certificate request because the F5 will send a self-sign cert and the Apache will end the ssl negotation because the Apache server will see the certificate signer and respond back with unknown ca.
The customer said their Apache server must prompt for a user certificate.
No matter what the F5 must perform break and inspect and there is no direct communications between the user web traffic and the backend servers.
Kevin_Stewart
Employee
EmployeeIf I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.