F5 and the way forward
Hello,
I have the following test server configuration ..
1) a third party bespoke application that allows https to be setup within that application. the application has its own maintenance web pages as well as server traffic
2) apache server
3) F5
I am trying to work out whats the best way to implement https in this configuration as I have some knowledge but I need to improve that knowledge.
a) I can implement SSL offloading on F5 which should be enough for the clients, if there was a possibility of contacting the server directly this would mean that I would also have to apply https to the third party application.
b) I can implement on F5 a "client, server" ssl profile with a server private key / server cert and check the "proxy ssl" box - Essentially what this proxy ssl solution does is a bulk encrypt and decrypt which can happen between the client / F5 / server.
c) The next idea would be an SSL forward proxy solution - "local CA" on F5 and "geotrust CA" on the server which would then allow the BigIP to "forge" a certificate for the domain name on the server which would be done via the trust relationship with the local CA. Basically, this would remove the trust relationship from the server and move it to F5 Big-IP
I am tempted to go for option B which would cover the application and F5
I appreciate that its hard given the brief description above but that's as much as I have at the moment.
Someone suggested using different keys on the F5 and the bespoke application, but I can not see how this would work given my knowledge of F5, as it would require two ssl certs to be authenticated which does not make sense to me and would not work from my knowledge.
Anyone got a good suggestion?