Forum Discussion

Nimbostratus

Mar 19, 2021

F5 and the way forward

Hello, I have the following test server configuration .. 1) a third party bespoke application that allows https to be setup within that application. the application has its own maintena...

BIG-IP

security

AlexS_yb

Cirrocumulus

Mar 20, 2021

Note - I'm a F5 newbie. but :) the approach I would take - and trying to keep it simple. KISS

is move SSL to the F5 make every one connect via here. if you have multipaths it just causing pain.

You want a break fix solution, put in a policy , irule, or ??? something that gives the devs emergency access if needed, straight through rule, that is only ip based or some limiting factor.

if the problem is the app being behind a reverse proxy .. well that will need some testing before hand.

But ... I don't know your environment so ... there might be other mitigating factors

phillip-Newbie

Nimbostratus

Mar 22, 2021

Afternoon Alex,

First of all thanks for responding again !

I have been looking at various F5 documents and came to the conclusion that if I was to implement a "Full SSL Proxy / SSL Re-Encryption /" solution with apache ModSecurity then this would give me a load balancer using SSL and a WAF behind the load balancer to filter out attacks.

I came to the conclusion that SSL up to the apache reverse proxy server would be in force. The documentation says that ModSecurity would remove the SSL after apache modsecurity has examined the https request.

Surely, modsecurity would be sufficient to filter out attacks? Freeware Hmmmm !!!

Then I might be completely wrong and I have missed something obvious, and there could be a better solution out there?

I did go down the path of moving SSL to F5 only (SSL offloading) but then including the WAF after the LB to provide additional security was a cause for concern as this should be SSL encrypted communication.

Locking down ports and implementing access control was then my next thought.

The post was to see what a wider audience could suggest but there appears to be very few people who want to discuss this area?

Thanks for responding Alex !

Documents read

https://www.f5.com/company/blog/where-does-a-waf-fit-in-the-data-path

https://support.f5.com/csp/article/K65271370

https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch01-introduction.html

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

F5 and the way forward

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Bridging and FQDN rewrite Policy

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

F5 BIG IP laboratory license

F5 mssql health monitor failing

Related Content

SSH forward proxy

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

Extracting X-Forwarded-For in Node.js

Lightboard Lessons: Perfect Forward Secrecy

SSL Forward Proxy Explained using Wireshark

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS