Forum Discussion

ghaidaF's avatar
ghaidaF
Icon for Nimbostratus rankNimbostratus
Feb 13, 2024

enable ASM (WAF) on VIP

Hello, 

I create a new VIP, it request to add WAF on it.
I tired to allow/disable ASM policy with HTTP Profile (Client): http & SSL Profile (Client) but I get error below:
400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx


the VIP open only when I remove SSL Profile (Client) & HTTP Profile (Client): none


Note: same certificate applied on backend side( VM) 

when I remove SSL Profile (Client) and set HTTP Profile (Client): http the curl command & browser stuck until shows timeout

Please your assistance to have workable VIP and I can add WAF on it.


security
  • sandy16's avatar
    sandy16
    Icon for Altostratus rankAltostratus
    Feb 13, 2024

    Hi, you need to have client SSL Profile, Server SSL profile and HTTP Profile applied to the VIP. Make sure the client SSL profile includes the proper certificate/key pair of your FQDN. 

    • ghaidaF's avatar
      ghaidaF
      Icon for Nimbostratus rankNimbostratus
      Feb 14, 2024

      thank you for your quick response. 

      When I tried I get this error message, 

      An error occurred during a connection to 0.0.0.0 SSL received a record that exceeded the maximum permissible length.

      Error code: SSL_ERROR_RX_RECORD_TOO_LONG




      I'm think to remove SSL client as it exists same on backend side , i thought it is enough

      is there any solution to add Policy ( asm-waf) without choosing any protocol on  HTTP Profile ?
      I tried to chose none but it choose the below when i tried to add policy 

      : Web Security profile requires an HTTP profile to be associated with the virtual server

  • ghaidaF's avatar
    ghaidaF
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2024

    Also I observe the error message below when I add the SSL Profile (Client), even when the HTTP profile :none

    "
    400 Bad Request
    The plain HTTP request was sent to HTTPS port
    nginx
    "

    • Sebastiansierra's avatar
      Sebastiansierra
      Icon for MVP rankMVP
      Feb 14, 2024

      Hi ghaidaF,

       

      HTTP profile at the client side is mandatory for the correct waf configuration because the HTTP profile instructs the virtual server to interact with the protocol.

      Some question:

      1. Do you have configured an IP for the virtual server in destination example "172.X.X.X"
      2. wich type of virtual server do you have created?
      3. SSL client profile is necessary in the case the traffic is encrypted, always keep the traffic encrypted and use the F5 to decrypt the traffic and process the WAF.
      4. The server is encrypted? in this case you have to configure an SSL server profile, you can use the default provided by F5.

       

      Hope its work.

      • Sebastiansierra's avatar
        Sebastiansierra
        Icon for MVP rankMVP
        Feb 14, 2024

        Hi again,

        If the application is only port 80 you don´t need to apply SSL profiles, only enable the HTTP profile, the waf policy, and the logging profile.