For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ramr_261905's avatar
ramr_261905
Icon for Nimbostratus rankNimbostratus
May 05, 2016

How to configure a virtual server with serverssl profiles to talk to both HTTP and HTTPS backends?

In our F5 (version: 11.6.0) setup: 1. SSL is being terminated on the F5 end. 2. Connections on the serverside (to the backend pool) can be either HTTP or HTTPS. Each pool can contain backends tha...
BIG-IP
cloud
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 06, 2016

If I may expand, I'd make a few additional points.

  1. Do you need SNI information applied to the server SSL profile(s)? Do you even really need multiple server SSL profiles? Most SSL sessions are client-initiated, so on the server side, the server SSL profile is responsible for initiating the SSL handshake to the server. In other words, it speaks first. The Server Name (SNI) field in the server SSL profile is used to inject a Server Name Indication extension in the F5's ClientHello message to the server. You'd only need this if the server actually required it, which they usually don't.

  2. Switching and/or enabling/disabling server side attributes needs to happen before the server side context (SERVER_CONNECTED), so LB_SELECTED would work, but for what you're doing HTTP_REQUEST would probably be more appropriate. SO basically, assign a server SSL profile to the VIP, and selectively disable it based on the client side HTTP request. Something like this:

    when CLIENT_ACCEPTED {
    SSL::disable serverside
}
when HTTP_REQUEST {
    switch [string to lower [HTTP::host]] {
        "foo.company.com" { SSL::enable serverside }
    }
}

  3. If you're switching between different pool members during a single client connection, then you absolutely should enable OneConnect. But if the client is only going to a single pool member, then you don't it.