Forum Discussion
enable ASM (WAF) on VIP
Hello,
I create a new VIP, it request to add WAF on it.
I tired to allow/disable ASM policy with HTTP Profile (Client): http & SSL Profile (Client) but I get error below:
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx
the VIP open only when I remove SSL Profile (Client) & HTTP Profile (Client): none
Note: same certificate applied on backend side( VM)
when I remove SSL Profile (Client) and set HTTP Profile (Client): http the curl command & browser stuck until shows timeout
Please your assistance to have workable VIP and I can add WAF on it.
- sandy16Altostratus
Hi, you need to have client SSL Profile, Server SSL profile and HTTP Profile applied to the VIP. Make sure the client SSL profile includes the proper certificate/key pair of your FQDN.
- ghaidaFNimbostratus
thank you for your quick response.
When I tried I get this error message,An error occurred during a connection to 0.0.0.0 SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
I'm think to remove SSL client as it exists same on backend side , i thought it is enough
is there any solution to add Policy ( asm-waf) without choosing any protocol on HTTP Profile ?
I tried to chose none but it choose the below when i tried to add policy: Web Security profile requires an HTTP profile to be associated with the virtual server
- ghaidaFNimbostratus
Also I observe the error message below when I add the SSL Profile (Client), even when the HTTP profile :none
"
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx
"Hi ghaidaF,
HTTP profile at the client side is mandatory for the correct waf configuration because the HTTP profile instructs the virtual server to interact with the protocol.
Some question:
- Do you have configured an IP for the virtual server in destination example "172.X.X.X"
- wich type of virtual server do you have created?
- SSL client profile is necessary in the case the traffic is encrypted, always keep the traffic encrypted and use the F5 to decrypt the traffic and process the WAF.
- The server is encrypted? in this case you have to configure an SSL server profile, you can use the default provided by F5.
Hope its work.
Hi again,
If the application is only port 80 you don´t need to apply SSL profiles, only enable the HTTP profile, the waf policy, and the logging profile.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com