Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Mar 01, 2016

F5 SSL bridging question..

Hi,

I have a Apache server and with a webpage mesh.pens.com, I have configured a VIP so that my F5 can be used for ssl bridging between client and Apache server.

client ---> F5 VIP (client ssl, server ssl ) ---> Apache server

My aim is to have bidirectional secure connection.. Between client and F5 VIP and between F5 and the back end Apache server. I have a client ssl profile with a wild card certificate for *.pens.com and server ssl profile contains the default ssl cert.. I'm try to encrypt the traffic between F5 and the Apache server so that the server can decrypt it.

I'm not sure what is missing here. I have test multiple times to see if I can load the page, but it fails.

Here is the quick info: 

F5 VIP : 10.60.2.244

Client IP: 10.224.222.79

Backend Apache server : 192.168.220.214  (192.168.200.2 is the self IP on the F5)

Can someone give me some information if my understanding is wrong with this. Also, suggest me if I'm missing some critical pieces in achieving the goal.

Please find the attached images - taken some packet capture to understand what is missing.

application delivery
LTM
TMSH

5 Replies

  • Salim_83682's avatar
    Salim_83682
    Historic F5 Account
    Mar 01, 2016

    Hi,

     

    You don't need to configure a certificate and a key in your serverssl profile. This is only required if you want your BIG-IP to authenticate to your Apache HTTPS server using a SSL certificate. Use the default serverssl profile and you should be fine.

     

    Salim

     

    • newf5learner's avatar
      newf5learner
      Icon for Nimbostratus rankNimbostratus
      Mar 01, 2016
      Yes, I didn't configure any certificate and Key on server ssl profile. Its the default one.
    • Salim_83682's avatar
      Salim_83682
      Historic F5 Account
      Mar 01, 2016
      I see application data being exchanged in your capture between BIG-IP and Apache, do you see any HTTP requests/responses logged in your access.log on the server ? Can you try from BIG-IP ? curl -k -H "Host: mesh.pens.com" https://192.168.220.214/ If it doesn't work, try the ssl logs on your server maybe ?
  • mo_99289's avatar
    mo_99289
    Historic F5 Account
    Mar 01, 2016
    There is a encrypted alert message sent from apache server, i think you might turn on ssl debug on apache server to find the cause.
  • newf5learner's avatar
    newf5learner
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2016

    Here is the output for the curl.. 

    [root@carssr-f5l3:Active:Changes Pending] config  curl -k -H "Host: mesh.pens.com" https://192.168.200.214/


302 Found

Found
The document has moved here.


[root@carssr-f5l3:Active:Changes Pending] config  curl -k -H "Host:meshlogin.pens.com" https://192.168.200.214/
[root@carssr-f5l3:Active:Changes Pending] config     ------> not output. 
[root@carssr-f5l3:Active:Changes Pending] config

    I'm trying to get access to the server to check the logs. I will post other results from the logs in sometime.