Forum Discussion
Quintious_74258
Nimbostratus
NimbostratusEncrypting HTTP traffic to SSL on LTM
We're about to leverage our LTM's for a partnership, and need to know how to take unencrypted traffic and encrypt it.
Basically what we're doing is:
-Traffic will come in from our partner via HTTPS. Big-IP will serve as the SSL termination point, convert the packets to HTTP, change the port number (to a pre-defined port, let's say 4000) that the server is listening on, and forward them off to the servers (which cannot read or interpret HTTPS packets). This entails setting up a client SSL thing.
-The servers will then respond with HTTP traffic over, again let's say port 4000 after they have processed the data, at which time the LTM will take the unecrypted data, re-encrypt it, and send it as HTTPS traffic via port 443 to our partner. This requires a server SSL configuration.
Now the twist:
-The servers will also need to proactively send HTTP traffic to our partner without first receiving a packet that the LTM has decrypted. We need the LTM to proactively encrypt that data that comes in as HTTP over...again, let's say 4000, and then send it off to our partner as HTTPS traffic over port 443. The servers can't do it, because the app can't do it.
I read somewhere that SNAT plays a role in this last twist, but I can't seem to find the forum post again. Is there a solution article out there that details how we can do this? Or has anyone done it, and can provide a blow-by-blow of what we need to do to make it work?
hooleylistCirrostratus
Hi,
For the partner (HTTPS) -> LTM -> (HTTP) app traffic you can create a virtual server on port 443 with a client SSL profile pointing to a pool of the server(s) on port 4000. The replies will follow the reverse path. If your server(s) have their default gateway set to the LTM floating self IP, you don't need SNAT. If that's not the case, then use SNAT on the virtual server.
For the app (HTTP) -> LTM -> (HTTPS) partner traffic, you can create an HTTP virtual server with a server SSL profile pointing to a pool of the partner server(s) on port 443. You'll need to use SNAT on this virtual server. You'll also need a TMM route (or default route) to get to the partner network.
Aaron
Quintious_74258OK, so even if the servers are not responding to the partner's packets, and the packets aren't returning through an existing connection in BIG-IP, we still use a server ssl profile and it will automatically encrypt traffic that the LTM is seeing for the first time? I just want to make sure I'm understanding this correctly, because the LTM essentials course was stating that server ssl profiles were for "return" traffic - it didn't say anything about fresh traffic that's being initiated internally.- Quintious_74258Double post, feel free to delete this one.
- hooleylistReplies are handled by the original virtual server the request went through. However, if you have both sets of hosts originating traffic, then you need two virtual servers.
For the VS which handles your requests to the partner, you use a server SSL profile to encrypt the LTM to partner pool traffic. For the VS which handles the partner requests to you, you use a client SSL profile to decrypt the requests and re-encrypt the responses on the clientside of LTM.
Aaron - Quintious_74258Alright, thanks, we'll give it a shot.
(And will probably still open a sev. 3 ticket to help walk us through it anyways, since we're paying for the premium support :P). 
nitassEmployee
just an example which Aaron said. i have to use snat and irule due to my lab environment.
this is for https to http.[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:443 ip protocol 6 profiles { clientssl { clientside } tcp {} } vlans external enable } [root@ve1023:Active] config b pool foo list pool foo { members 200.200.200.101:4000 {} } curl -Ik https://172.28.19.79 HTTP/1.1 200 OK Date: Fri, 18 Nov 2011 09:04:18 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 [root@ve1023:Active] config tcpdump -nni 0.0 port 443 or port 4000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 01:04:04.467014 IP 172.28.19.253.50827 > 172.28.19.79.443: S 4250042541:4250042541(0) win 5840 01:04:04.467072 IP 172.28.19.79.443 > 172.28.19.253.50827: S 3878453677:3878453677(0) ack 4250042542 win 4380 01:04:04.468913 IP 172.28.19.253.50827 > 172.28.19.79.443: . ack 1 win 46 01:04:04.477800 IP 172.28.19.253.50827 > 172.28.19.79.443: P 1:106(105) ack 1 win 46 01:04:04.477837 IP 172.28.19.79.443 > 172.28.19.253.50827: P 1:793(792) ack 106 win 4380 01:04:04.480082 IP 172.28.19.253.50827 > 172.28.19.79.443: . ack 793 win 58 01:04:04.480095 IP 172.28.19.253.50827 > 172.28.19.79.443: P 106:292(186) ack 793 win 58 01:04:04.484510 IP 200.200.200.10.50827 > 200.200.200.101.4000: S 2032949847:2032949847(0) win 4380 01:04:04.484517 IP 172.28.19.79.443 > 172.28.19.253.50827: P 793:840(47) ack 292 win 4485 01:04:04.485823 IP 200.200.200.101.4000 > 200.200.200.10.50827: S 3932073000:3932073000(0) ack 2032949848 win 5792 01:04:04.485834 IP 200.200.200.10.50827 > 200.200.200.101.4000: . ack 1 win 4380 01:04:04.486872 IP 172.28.19.253.50827 > 172.28.19.79.443: P 292:472(180) ack 840 win 58 01:04:04.486893 IP 200.200.200.10.50827 > 200.200.200.101.4000: P 1:156(155) ack 1 win 4380 01:04:04.487832 IP 200.200.200.101.4000 > 200.200.200.10.50827: . ack 156 win 54 01:04:04.489095 IP 200.200.200.101.4000 > 200.200.200.10.50827: P 1:263(262) ack 156 win 54 01:04:04.489116 IP 172.28.19.79.443 > 172.28.19.253.50827: P 840:1127(287) ack 472 win 4851 01:04:04.489119 IP 200.200.200.101.4000 > 200.200.200.10.50827: F 263:263(0) ack 156 win 54 01:04:04.489126 IP 200.200.200.10.50827 > 200.200.200.101.4000: . ack 264 win 4642 01:04:04.489131 IP 172.28.19.79.443 > 172.28.19.253.50827: F 1127:1127(0) ack 472 win 4851 01:04:04.493034 IP 172.28.19.253.50827 > 172.28.19.79.443: P 472:499(27) ack 1128 win 71 01:04:04.493048 IP 172.28.19.253.50827 > 172.28.19.79.443: F 499:499(0) ack 1128 win 71 01:04:04.493058 IP 172.28.19.79.443 > 172.28.19.253.50827: . ack 500 win 4878 01:04:04.493067 IP 200.200.200.10.50827 > 200.200.200.101.4000: F 156:156(0) ack 264 win 4642 01:04:04.493889 IP 200.200.200.101.4000 > 200.200.200.10.50827: . ack 157 win 54- nitassthis is for http to https.
[root@ve1023:Active] config b virtual bar2 list virtual bar2 { snat automap pool foo2 destination 200.200.200.79:4000 ip protocol 6 rules myrule2 profiles { http {} serverssl { serverside } tcp {} } vlans internal enable } [root@ve1023:Active] config b pool foo2 list pool foo2 { members 74.125.235.50:443 {} } [root@ve1023:Active] config b rule myrule2 list rule myrule2 { when HTTP_REQUEST { HTTP::header replace Host "www.google.com" } } curl -I http://200.200.200.79:4000 HTTP/1.1 200 OK Date: Fri, 18 Nov 2011 09:02:39 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=4ef4ba14c2189eec:FF=0:TM=1321606959:LM=1321606959:S=hTpVLYxefmsAEtSk; expires=Sun, 17-Nov-2013 09:02:39 GMT; path=/; domain=.google.com Set-Cookie: NID=53=t3p09w0aYLbn2wOZIOZOnypE889mOydciWSDfW9KacQee-sNIPmJlxx6jH0Sm-bD-Um2TUxZm12xM8nlAANVrZXb117QEE-uKgQW2mzY4jcCgIVly_xhfdbvr5sdOpWJ; expires=Sat, 19-May-2012 09:02:39 GMT; path=/; domain=.google.com; HttpOnly Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Transfer-Encoding: chunked [root@ve1023:Active] config tcpdump -nni 0.0 port 4000 or port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 01:06:52.264065 IP 200.200.200.101.53947 > 200.200.200.79.4000: S 2974964524:2974964524(0) win 5840 01:06:52.264127 IP 200.200.200.79.4000 > 200.200.200.101.53947: S 3360020780:3360020780(0) ack 2974964525 win 4380 01:06:52.264879 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 1 win 46 01:06:52.264910 IP 200.200.200.101.53947 > 200.200.200.79.4000: P 1:163(162) ack 1 win 46 01:06:52.265061 IP 172.28.19.80.53947 > 74.125.235.50.443: S 723819090:723819090(0) win 4380 01:06:52.272054 IP 74.125.235.50.443 > 172.28.19.80.53947: S 2091216247:2091216247(0) ack 723819091 win 5672 01:06:52.272076 IP 172.28.19.80.53947 > 74.125.235.50.443: . ack 1 win 4380 01:06:52.272124 IP 172.28.19.80.53947 > 74.125.235.50.443: P 1:95(94) ack 1 win 4380 01:06:52.277870 IP 74.125.235.50.443 > 172.28.19.80.53947: . ack 95 win 89 01:06:52.282934 IP 74.125.235.50.443 > 172.28.19.80.53947: P 1:134(133) ack 95 win 89 01:06:52.283029 IP 172.28.19.80.53947 > 74.125.235.50.443: P 95:142(47) ack 134 win 4380 01:06:52.283040 IP 172.28.19.80.53947 > 74.125.235.50.443: P 142:324(182) ack 134 win 4513 01:06:52.290825 IP 74.125.235.50.443 > 172.28.19.80.53947: . ack 324 win 106 01:06:52.314970 IP 74.125.235.50.443 > 172.28.19.80.53947: P 134:794(660) ack 324 win 106 01:06:52.315001 IP 200.200.200.79.4000 > 200.200.200.101.53947: P 1:636(635) ack 163 win 4542 01:06:52.315979 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 636 win 56 01:06:52.315990 IP 200.200.200.101.53947 > 200.200.200.79.4000: F 163:163(0) ack 636 win 56 01:06:52.315997 IP 200.200.200.79.4000 > 200.200.200.101.53947: . ack 164 win 4542 01:06:52.316002 IP 172.28.19.80.53947 > 74.125.235.50.443: F 324:324(0) ack 794 win 5173 01:06:52.322060 IP 74.125.235.50.443 > 172.28.19.80.53947: F 794:794(0) ack 325 win 106 01:06:52.322075 IP 172.28.19.80.53947 > 74.125.235.50.443: . ack 795 win 5173 01:06:52.322078 IP 200.200.200.79.4000 > 200.200.200.101.53947: F 636:636(0) ack 164 win 4542 01:06:52.322975 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 637 win 56