Forum Discussion
Altostratusconfigure port 443 to use ssl that is installed on Apache or Caddy server
Hi,
Trying to open port 443 (https) without offloading ssl cert. If I dont setup any profile the BigIP does not forward traffic to my server. If I setup only server side SSL profile without any certificate, it forwards, but there is not information about requested host.
I cannot find any information how to do it properly.
Thank you for help
Luke
- Mayur_Sutare
MVP
Hello As you are trying to skip ssl offloading on F5 and let server handle SSL handshakes, do not configure http profile, client and Server side SSL profiles on the Virtual Server. In this config, client will do ssl handshakes with actual web-server.
Just check settings, if SNAT is required to be enabled. If web-server gateway is not F5, you need to enable SNAT option otherwise it will cause asymmetric routing issue.
Hope it helps!
Mayur
LukesHi Mayur,
I tried that options, and it still does not work. I tried the simplest option which was
the pool for that virtual server has one member 192.168.1.199 with the Service Port set to 0 (I selected *)
I also tried exactly what you said, which was not http profile, no ssl profile for client and server and selected SNAT
Any ideas? How to debug this stuff?
- Mayur_Sutare
Now check for Route on F5 for Web-Server IP i.e. 192.168.1.199. Check if proper route is available. This will also cause issues.
Mayur
- Lukes
When I ssh to F5 box I can do tracerout on 192.168.1.199 and it works. The Rout that I have on BigIP is only default on which is the gateway type for our public ip.
I have almost 100 Virtual Serves configured and everything works, however I never tried to skip ssl offloading. I cannot believe that it is that complicated. Unless there is a bug in BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2
- Lukes
Also, for everybody else, I am trying to run Caddyserver v2. The idea is that the whole application is configured in Caddy and F5 BigIP is pure firewall and if it is possible load balance.
- Lukes
I run a few tests. I run openssl externally and internally, and the external one did not receive any response.
Internal:
openssl s_client -connect 192.168.1.199:443 -cipher 'DEFAULT:!ECDH'
CONNECTED(00000003)
3073623740:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 161 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
External:
openssl s_client -connect next-app.XXXX.com:443 -cipher 'DEFAULT:!ECDH'
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 292 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
- Lukes
Thank you Mayur for help. I finally fixed it by enabling Address Translation and Port Translation and setting Source Address Translation to AutoMap. Just two checkboxes fixed all issues. Now my Caddyserver v2 aoutoconfigure ssl and runs website without problems. Love it.
