Forum Discussion

Muhannad's avatar
Muhannad
Icon for Cirrus rankCirrus
Mar 04, 2020

F5 SSL Pass-through with Xforward.

Dear Experts,   I have a requirment to configure a virtual server that do support SSL passthrough proxy (Which has been configured and working fine) but i need to inject the xforward value in the...
application delivery
LTM
Muhannad's avatar
Muhannad
Icon for Cirrus rankCirrus

Dear Steve,

 

Thanks for your response.

 

I have enabled Proxy SSL in the SSL profile and then Enabled the X-Forwarded-For in the HTTP profile but this didnt insert the client IP in the HTTP header.

 

My setup as follows : Client request SSL---->LTM (doing the SSL Proxy) --> F5 WAF---> Server

 

I have configured SSL client side and SSL server Side with SSL proxy enabled in both profiles in the LTM, HTTP profile with X-Forward has been added as well but in the WAF events i am still unable to see the original client IP.

 

do i have any workarounds or this will not work as Lidev said A Virtual Server configured with SSL pass-trough prevents F5 BIG-IP from using application-layer features.

 

Regards,

Muhannad

Muhannad's avatar
Muhannad
Icon for Cirrus rankCirrus
Mar 07, 2020

The beast did it when i have excluded  DH, DHE..

  • SteveMC's avatar
    SteveMC
    Icon for Altostratus rankAltostratus
    Mar 09, 2020

    Yes, it is important here to understand exactly what Proxy SSL Passthrough is, and what it is doing in order to understand when the application-layer features (HTTP Profile, WAF, etc) are and are not applied.

     

    Proxy SSL:

    With the original version of Proxy SSL configured, the LTM has a copy of the server's private key and it uses that to perform what is essentially a Man in The Middle (MITM) attack on all traffic where those SSL Profiles are applied

     

    Unfortunately, DH/DHE cipher suites are specifically designed to safeguard against MITM attacks. Proxy SSL also has several other incompatibilities, like TLS Session Tickets. If any of these are present, Proxy SSL will break and traffic will simply fail.

     

    Because of this, F5 eventually added the Proxy SSL Passthrough mode.

     

    Proxy SSL Passthrough:

    Proxy SSL Passthrough is exactly the same as standard Proxy SSL, except that when incompatible (DH/DHE) ciphers are negotiated the LTM will bypass Proxy SSL completely (as if you had not configured any SSL Profiles) instead of dropping the traffic.

     

    However, this is a problem if you are relying on being able to decrypt the traffic for any other purpose (HTTP Profile, iRules, APM Policies, ASM WAF inspection, etc).

     

    My personal recommendation is to avoid Proxy SSL unless absolutely necessary. Is there any reason you can't use SSL Offloading or SSL Bridging configurations here?