Forum Discussion
skethi_183651
Nimbostratus
NimbostratusHow to Use Web Server for SSL instead of F5 via F5
Hello,
I am trying to use the Certs that are installed on the webserver instead of the certs on the F5. how can i achieve it.
shaggy_121467Cumulonimbus
are you looking to offload SSL on the F5 using the web-server's certificate, or are you looking to terminate SSL at the web-server instead of the F5?
- skethi_183651ok now i understood what SSL offloading mean. We are currently doing the SSL offloading, but we dont want to do that . we want to terminate the SSL at the Web Server instead of the F5. This is only a backup approach we are trying to use for temporarily.
- shaggy_121467in the virtual server configuration of the application's virtual server configured for HTTPS, remove the clientSSL profile and serverSSL profile. When you remove a client SSL profile from a virtual server, the F5 loses the ability to examine HTTP-level data as F5 is now passing encrypted data through the F5 rather than terminating SSL and re-encrypting to pool members. Therefore, if you use any of the following features/profiles, they will also need to be removed - HTTP, oneconnect, cookie-based persistence, http-compression, stream profile, analytics profile, HTML profile, web acceleration profiles, iRules that use HTTP events/functions, LTM policy profiles that have HTTP-related statements, etc.
- skethi_183651Thanks, For the update but we are using iRules, we need iRules as that is what is doing the traffic routing and redirects. is there any other alternative? or what kind of iRule i can use.
shaggyare you looking to offload SSL on the F5 using the web-server's certificate, or are you looking to terminate SSL at the web-server instead of the F5?
- skethi_183651ok now i understood what SSL offloading mean. We are currently doing the SSL offloading, but we dont want to do that . we want to terminate the SSL at the Web Server instead of the F5. This is only a backup approach we are trying to use for temporarily.
- shaggyin the virtual server configuration of the application's virtual server configured for HTTPS, remove the clientSSL profile and serverSSL profile. When you remove a client SSL profile from a virtual server, the F5 loses the ability to examine HTTP-level data as F5 is now passing encrypted data through the F5 rather than terminating SSL and re-encrypting to pool members. Therefore, if you use any of the following features/profiles, they will also need to be removed - HTTP, oneconnect, cookie-based persistence, http-compression, stream profile, analytics profile, HTML profile, web acceleration profiles, iRules that use HTTP events/functions, LTM policy profiles that have HTTP-related statements, etc.
- skethi_183651Thanks, For the update but we are using iRules, we need iRules as that is what is doing the traffic routing and redirects. is there any other alternative? or what kind of iRule i can use.
- skethi_183651
I have also read something about Proxy SSL on the Server Profile and Client profile. will this work for my issue?
Brad_ParkerCirrus
As shaggy said, if you are using any Layer 7 events including HTTP, which requires an HTTP profile means you will require a client SSL profile. I don't think you can control the Layer 7 packet flow in proxy mode, I believe that is more for inspection for logging. If you are currently doing SSL offload, there's no problem with re-encrypting with a server SSL profile to still have an SSL handshake with the backend server.- skethi_183651Thank you Brad and Shaggy, I understood what you are saying now. But how can i create a iRule without Http Events/functions. below is my current iRule which i use to redirect traffic to different pool, that is traffic redirect on the ports is key based on the URL how can i achieve the same functionality without using the HTTP Events/ Functions. What are the alternatives to below Events / Functions. when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "abc.com" } { HTTP::redirect "http://123.com/homepage[HTTP::uri]" } elseif {[string tolower [HTTP::host]] equals "123.com" } { pool QA-WEB-444_Pool; persist none; } else { persist none } }
- Brad_ParkerI may have misspoken about not being able to use the SSL proxy feature though I have never actually tried it myself. Give it a whirl in a pre-prod environment and see if your irule still works. Make sure however that your clientSSL profile only includes ciphers that your backend server can negotiated. I do know that they have to be compatible to work. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html & https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html should get you started.
boneyardMVP
could you explain why you need to do the termination at the server?
if it is because of security demands then there is no way to also be able to look into the traffic. that is the whole idea of SSL, you can't look in there.
if the demand is just to talk with encryption on the server side you can apply a server side ssl profile and do that.
SSL Proxy feature decrypt the traffic also and is compatible with iRules as can be read in this following SOL: https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
if it doesn't work for you you probably haven't got it setup correctly.
if you need help please explain your use case a bit better.