Forum Discussion
Elasa_26701
Nimbostratus
NimbostratusClient Source IP - SSL pass through
Hi, the Cisco smart space needs to know the source IP address of the client to register it and accept the traffic. Also SSL termination cannot be done on F5 due to some limitation of application. so the SSL pass through is configured. I've read https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
but is there anyway to distinguish every client traffic? now all the traffic source IP is F5.
Thanks, Ellie
Elasa_26701if I add a client assl and server ssl can I access to Source IP address with X- Forward?
shaggyyes. why doesn't the application allow SSL offload? is it simply that the application requires SSL?- Elasa_26701Im not aware of the application feature ..just they told me the tests was unsuccessful and they need ssl pass through. So the server ssl will do it for me thank you
- shaggyclientssl and serverssl profiles perform SSL offload, which won't work for this application
R_MarcYou could, in theory, utilize Proxy SSL, assuming your security policy allows it. This requires that you have the same SSL cert and key on all the pool members and that cert/key is available to the F5 as well.
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
With this configuration you can use an iRule to insert/modify X-Forwarded-For.
This is, for all intents and purposes, doing a man in the middle. It only works for RSA. If you require ECC it doesn't work.
- Elasa_26701but server=ssl again encrypt the traffic so the server receive the encrypted. so for server it isn't like ssl pass-through?
- shaggyit depends on why the application would not work before when a clientssl profile was applied. a clientSSL profile will terminate the client's SSL session on the F5, and the serverSSL will re-encrypt back to the pool member. if coupled with an http profile with x-forwarded-for enabled, the backend device should be able to use the x-forwarded-for header as the client-ip
- Elasa_26701Thanks I will test it.