Forum Discussion
F5 LTM SSL Bridging - send decrypted traffic to clone pool
- Jul 31, 2024
Very simply, in the proxy "HUD" chain, a clone pool sits at layer 2, whereas TLS decryption happens at layer 6. In other words, you're seeing encrypted traffic at the clone pool because decryption hasn't happened yet.
To get decrypted traffic to a clone pool you have to get past layer 6. If you're not re-encrypting to the server, you can put the clone on the server side of the proxy. If you are re-encrypting to the backend, then you'd need a VIP-target solution:
client-side VIP --> (vip target) --> server-side VIP
The client-side VIP has a client SSL profile and an iRule that VIP targets to the server-side VIP that has the server SSL profile. You can then put your clone pool on the server side (inside) of the client-side VIP, or client side (inside) of the server-side VIP.
Very simply, in the proxy "HUD" chain, a clone pool sits at layer 2, whereas TLS decryption happens at layer 6. In other words, you're seeing encrypted traffic at the clone pool because decryption hasn't happened yet.
To get decrypted traffic to a clone pool you have to get past layer 6. If you're not re-encrypting to the server, you can put the clone on the server side of the proxy. If you are re-encrypting to the backend, then you'd need a VIP-target solution:
client-side VIP --> (vip target) --> server-side VIP
The client-side VIP has a client SSL profile and an iRule that VIP targets to the server-side VIP that has the server SSL profile. You can then put your clone pool on the server side (inside) of the client-side VIP, or client side (inside) of the server-side VIP.
A short course on i-rules and I managed to get something working as a POC.
Thanks for the pointers.
I totally agree this is much easier if you have SSLO running on the appliance
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com