For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Akhilesh_128432's avatar
Akhilesh_128432
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

cookie persistence for HTTPS traffic

I am looking for a option to set cookie persistence for HTTPS traffic.

 

I know cookie persistence will work only with HTTP profile, but I am wondering is there any way we configure cookie persistence for HTTPS traffic?

 

-Akhilesh

 

application delivery
BIG-IP
LTM

9 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 15, 2016

    Akhilesh,

     

    If you terminate the SSL connection at the bigip with a client ssl profile and you also have an http profile assigned to the VIP, then you will be able to use cookie persistence.

     

    Hope this helps,

     

    N

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 15, 2016

    Akhilesh,

     

    If you terminate the SSL connection at the bigip with a client ssl profile and you also have an http profile assigned to the VIP, then you will be able to use cookie persistence.

     

    Hope this helps,

     

    N

     

  • Akhilesh_128432's avatar
    Akhilesh_128432
    Icon for Nimbostratus rankNimbostratus
    Feb 15, 2016

    I agreed, but in this case basically all the traffic from F5 to APP server would be http, right?.

     

    -Akhilesh

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Feb 15, 2016
      you can re-encrypt to the backend app server using a server ssl profile - the default one (serverssl) should suffice.
  • Akhilesh_128432's avatar
    Akhilesh_128432
    Icon for Nimbostratus rankNimbostratus
    Feb 15, 2016

    I have already one certificate installed on my application server, so do we need to assign my application certificate to serverssl profile?

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Feb 15, 2016
      export this and the key to the bigip and create a custom client ssl profile, inc. this cert/key to decrypt the traffic. the bigip can then use the default serverssl profile to re-encrypt.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 15, 2016

    If I may add, the certificate that you use on the server side are less important. The default settings for the server SSL profile are to ignore certificate errors. But generally speaking, in order to see HTTP traffic, you must terminate the SSL session. And you can certainly re-encrypt to the backend server (a method usually called "SSL bridging").

     

  • Rahul_Yadav_278's avatar
    Rahul_Yadav_278
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2018

    I have a question for clientssl profile we have used the certificate which is on servers but which certificate we will use for serverssl profile

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Jul 11, 2018

      Rahul, see my 15-Feb-2016 response above. You usually don't need to configure any certs in the servers profile. These would be client certs to the internal application, which shouldn't need to authenticate the client. You can usually use the default servers profile if you need to re-encrypt to the application servers.