F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Mayank_Shukla's avatar
Mayank_Shukla
Icon for Altostratus rankAltostratus
Apr 19, 2016

end to end ssl

do we need to install ssl cert on both LB and real server for features like x-forwarded-for and irules(modifying http behavior) to work for an https VIP? Please explain briefly.  
application delivery
BIG-IP
LTM
Chris_Grant's avatar
Chris_Grant
Icon for Employee rankEmployee
Apr 19, 2016

For both x-forwarded-for and irules we have to gain access to the encrypted payload to read data and make changes. The only way to do that is to have the private key and ssl cert installed so we can encrypt and decrypt the data (acting as the server in this case). If you don't need to have the traffic encrypted between the BigIP and the pool member, you are done at this point. If you want that traffic encrypted to the back end, you will need to install the cert and key on the back end server also. After we are done manipulating the data, we will contact the back end server as a client, reencrypt the data as normal and send to the pool member.