Forum Discussion

nicolas_67135's avatar
nicolas_67135
Icon for Nimbostratus rankNimbostratus
Sep 07, 2011

F5 as a proxy to encapsulate every HTTP session into ssl

Hi,

 

 

We have a specific architecture and we want to use the F5 as a proxy device, a specific proxy device...

 

 

I explain :

 

We have a lot of customers in Internet (several hundred, we can't create a specific virtual server for all that customers) and we want to use the SSL acceleration card on F5 to do some stuff about SSL encapsulation. So we have several servers in front office connected to the F5 and those servers have to send some information on Internet in SSL (to our customers).

 

 

So the flow that we want to implement :

 

 

Server ----[HTTP]----> F5 -----[SSL]---> Customers (a lot of customers)

 

 

 

I think I have to use :

 

 

1. A virtual server : * to catch every connection from my server in front office and in direction of Internet

 

2. no pool

 

3. Server SSL profile

 

 

A irule which creates a node with the destination IP of the packet ?

 

 

Do you think that it's a good idea and that it could be work ? Do you have another idea ?

 

 

Thank you for your help

 

 

Nicolas.
config
design
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 07, 2011
    is it similar to this? 

    [root@Edelweiss:Active] config  b route list
route default inet {
   gateway 172.28.17.254
}
[root@Edelweiss:Active] config  b virtual bar list
virtual bar {
   translate address enable
   translate service enable
   snat automap
   destination any:any
   mask 0.0.0.0
   ip protocol tcp
   rules myrule
   profiles {
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@Edelweiss:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        node [IP::local_addr] 443
}
}

 curl -I http://209.85.175.103/
HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 16:32:52 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

[root@Edelweiss:Active] config  tcpdump -nni 0.0 'tcp[13] = 2'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
09:32:30.438210 IP 10.10.72.30.38683 > 209.85.175.103.80: S 1386918676:1386918676(0) win 5840 
09:32:30.440113 IP 172.28.17.70.38683 > 209.85.175.103.443: S 3298992726:3298992726(0) win 4380
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Sep 07, 2011
    Hi Nicolas,

     

     

    The problem that you are going to run into is hostname mismatches. Your clients will receive errors unless you have a wildcard certificate for a domain and all the SSL sessions will be within that domain. It isn't possible to select an SSL profile based on hostname as the SSL session is negotiated prior to any hostname exchanges. However this is different from your diagram. If you only want to encrypt traffic on the server-side that is a much easier (albeit uncommon) scenario. Hope this helps,

     

     

    George