Forum Discussion
F5 SSL Pass-through with Xforward.
Dear Steve,
Thanks for your response.
I have enabled Proxy SSL in the SSL profile and then Enabled the X-Forwarded-For in the HTTP profile but this didnt insert the client IP in the HTTP header.
My setup as follows : Client request SSL---->LTM (doing the SSL Proxy) --> F5 WAF---> Server
I have configured SSL client side and SSL server Side with SSL proxy enabled in both profiles in the LTM, HTTP profile with X-Forward has been added as well but in the WAF events i am still unable to see the original client IP.
do i have any workarounds or this will not work as Lidev said A Virtual Server configured with SSL pass-trough prevents F5 BIG-IP from using application-layer features.
Regards,
Muhannad
- MuhannadMar 07, 2020Cirrus
The beast did it when i have excluded DH, DHE..
- SteveMCMar 09, 2020Altostratus
Yes, it is important here to understand exactly what Proxy SSL Passthrough is, and what it is doing in order to understand when the application-layer features (HTTP Profile, WAF, etc) are and are not applied.
Proxy SSL:
With the original version of Proxy SSL configured, the LTM has a copy of the server's private key and it uses that to perform what is essentially a Man in The Middle (MITM) attack on all traffic where those SSL Profiles are applied
Unfortunately, DH/DHE cipher suites are specifically designed to safeguard against MITM attacks. Proxy SSL also has several other incompatibilities, like TLS Session Tickets. If any of these are present, Proxy SSL will break and traffic will simply fail.
Because of this, F5 eventually added the Proxy SSL Passthrough mode.
Proxy SSL Passthrough:
Proxy SSL Passthrough is exactly the same as standard Proxy SSL, except that when incompatible (DH/DHE) ciphers are negotiated the LTM will bypass Proxy SSL completely (as if you had not configured any SSL Profiles) instead of dropping the traffic.
However, this is a problem if you are relying on being able to decrypt the traffic for any other purpose (HTTP Profile, iRules, APM Policies, ASM WAF inspection, etc).
My personal recommendation is to avoid Proxy SSL unless absolutely necessary. Is there any reason you can't use SSL Offloading or SSL Bridging configurations here?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com