Forum Discussion

Johnny_John_133's avatar
Johnny_John_133
Icon for Nimbostratus rankNimbostratus
Sep 18, 2013

How does F5 LTM re-encrypt data with serverssl profile?

Hi   We have an F5 LTM in front of an apache node. Initially, the apache node (listens at port 443) was configured with SSLCertificate and SSLKey to do SSL Termination.   To offload this termin...
deployment
design
management
security
afedden_1985's avatar
afedden_1985
Icon for Cirrus rankCirrus
Sep 18, 2013

It really depends on your requirement but leaving the setting to ignore means the system ignores certificates from the server if they present one. Leave it at ignore unless you Require that the server is presenting a valid certificate. If you server is listening on port 443 they still need the SSL server certificate loaded.

 

The SSL server profile re-encrypts traffic to the pool acting as a SSL client over port 443. As long as the host name in the request to the VIP matches the Servers certificate it should work. But unless you have a need to inspect the client traffic to make a layer 7 decision or insert an HTTP header like X_Forwarded_For there is no need to terminate the SSL on the F5? You could pass it through your 443 VIP with no SSL client or server profile using a pool with nodes set for port 443.