F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Mayank_Shukla's avatar
Mayank_Shukla
Icon for Altostratus rankAltostratus
Apr 19, 2016

end to end ssl

do we need to install ssl cert on both LB and real server for features like x-forwarded-for and irules(modifying http behavior) to work for an https VIP? Please explain briefly.

 

application delivery
BIG-IP
LTM

2 Replies

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Apr 19, 2016

    Answer yes, installing a certificate on BigIP is mandatory for the features you mentioned.

     

    Installing a certificate on web-server is only mandatory if you forward connections to SSL-enabled port. Other than that, F5 can also forward connections to plain-HTTP port. In such case, you do not need to install certificate on web-server.

     

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Apr 19, 2016

    For both x-forwarded-for and irules we have to gain access to the encrypted payload to read data and make changes. The only way to do that is to have the private key and ssl cert installed so we can encrypt and decrypt the data (acting as the server in this case). If you don't need to have the traffic encrypted between the BigIP and the pool member, you are done at this point. If you want that traffic encrypted to the back end, you will need to install the cert and key on the back end server also. After we are done manipulating the data, we will contact the back end server as a client, reencrypt the data as normal and send to the pool member.