Forum Discussion
F5 SSL Offloading - Apache - Certificate Error
Hi
I am trying to offload SSL using F5 for my vendor application. SSL offloading is done based on wild card string *.abcd.local.
for e.g. original application url is
This is now redirected via F5 and the url gets changed to (SSL offloading is based on the wild card string *.abcd.local)
On invoking this url the apache web server responds back with ..... with all session cookies and parameters.
Since the response url does not contain the wild card string *.abcd.local, certificate error appears. How can we get around this at the F5 level using iRules, so that SSL offloading is enforced.
Regards
Febin
4 Replies
- Since the response url does not contain the wild card string *.abcd.local, certificate error appears. How can we get around this at the F5 level using iRules, so that SSL offloading is enforced.where is https://originalsite.defg.local/loginpage? is it in http location header?
- First things first, redirect-rewrite is an option that rewrites "http://" to "https://" on 30x redirect responses from the server. This is useful when the application 1) doesn't know it's being accessed via SSL on the client side of a proxy, and 2) it issues absolute (vs. relative) paths in redirects. It does not touch payload URL references.
- Febin_130295
Nimbostratus
Hi - The certificate error doesn't have anything to do with server response, at least not from a layer 7 (HTTP) perspective. When a client initiates an SSL session with a server, the server's immediate response (during the SSL negotiation and BEFORE any HTTP traffic) is a SERVERHELLO message. This is when it presents its certificate to the client. If that certificate 1) contains a subject name that is DIFFERENT than the name the client asked for, or 2) the client cannot establish a trust relationship based on its own explicit trust store, the user will see the certificate error message. So, if you have a clientssl profile assigned to the VIP, and that profile is using a certificate that has a subject of "irec.fgbapps.local", the client is asking for "https://irec.fgbapps.local", and the client can trust the issuer of that certificate, then another likely cause of the certificate error is some communication from the server that is redirecting the client to another host name. The best way to assess this is to capture the client (browser) side interaction with something like Fiddler.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com