Forum Discussion

nicolas_67135's avatar
Icon for Nimbostratus rankNimbostratus
Sep 07, 2011

F5 as a proxy to encapsulate every HTTP session into ssl




We have a specific architecture and we want to use the F5 as a proxy device, a specific proxy device...



I explain :


We have a lot of customers in Internet (several hundred, we can't create a specific virtual server for all that customers) and we want to use the SSL acceleration card on F5 to do some stuff about SSL encapsulation. So we have several servers in front office connected to the F5 and those servers have to send some information on Internet in SSL (to our customers).



So the flow that we want to implement :



Server ----[HTTP]----> F5 -----[SSL]---> Customers (a lot of customers)




I think I have to use :



1. A virtual server : * to catch every connection from my server in front office and in direction of Internet


2. no pool


3. Server SSL profile



A irule which creates a node with the destination IP of the packet ?



Do you think that it's a good idea and that it could be work ? Do you have another idea ?



Thank you for your help




2 Replies

  • is it similar to this?

    [root@Edelweiss:Active] config  b route list
    route default inet {
    [root@Edelweiss:Active] config  b virtual bar list
    virtual bar {
       translate address enable
       translate service enable
       snat automap
       destination any:any
       ip protocol tcp
       rules myrule
       profiles {
          serverssl {
          tcp {}
    [root@Edelweiss:Active] config  b rule myrule list
    rule myrule {
       when CLIENT_ACCEPTED {
            node [IP::local_addr] 443
     curl -I
    HTTP/1.1 200 OK
    Date: Wed, 07 Sep 2011 16:32:52 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=ISO-8859-1
    Server: gws
    X-XSS-Protection: 1; mode=block
    Transfer-Encoding: chunked
    [root@Edelweiss:Active] config  tcpdump -nni 0.0 'tcp[13] = 2'
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    09:32:30.438210 IP > S 1386918676:1386918676(0) win 5840 
    09:32:30.440113 IP > S 3298992726:3298992726(0) win 4380 
  • George_Watkins_'s avatar
    Historic F5 Account
    Hi Nicolas,



    The problem that you are going to run into is hostname mismatches. Your clients will receive errors unless you have a wildcard certificate for a domain and all the SSL sessions will be within that domain. It isn't possible to select an SSL profile based on hostname as the SSL session is negotiated prior to any hostname exchanges. However this is different from your diagram. If you only want to encrypt traffic on the server-side that is a much easier (albeit uncommon) scenario. Hope this helps,