Forum Discussion
NimbostratusHTTP Cookies when using SSL offloading
Hi I have a problem related to my SSL offloading configuration on F5 LTM (V11.1). We have three servers on a pool. servers connect to F5 via HTTP and clients connect to F5 on HTTPS. The problem is that when I capture the traffic between Clients and F5 (where the traffic should be encrypted) I can capture cookies in HTTP without encryption. I edit the irule to set secure only flag on cookie (this irule is assigned to HTTP virtual server) but I still get the cookies in non secure format. Is there any solution for this problem?
11 Replies
- nitass
Employee
when I capture the traffic between Clients and F5 (where the traffic should be encrypted) I can capture cookies in HTTP without encryption.
how did you capture the traffic? was it tcpdump or something else?
siamak8888_2065Servers<--http--->F5<---https---->Firewall<-----Internet(https)---->Users
I captured the traffic on firewall between Internet and F5 and I can see Http packet containing cookies, the other traffic are all encrypted in 443(https) packets.
FlorianLa_20661When you captured the traffic, did you check the MAC addresses to see if your trafic is realy corresponding between F5 and clients ? Because it can be an architectural problem.
Or maybe your firewall is making SSL inspection ?
Stanislas_Piro2Cumulonimbus
The secure flag does not encrypt the cookie but specify to the browser that the cookie must not be send to the server in an unsecured connection (if the user is redirected to HTTP URL on the same domain)
As the cookie is added as HTTP header of the answer, if the cookie is sent in clear, the whole connection is in clear...
Can you post the virtual server configuration?
- siamak8888_2065
there is no inspection on my firewall. the firewall even do not contain the Certificate to be ablt to decrypt the traffic for inspection.
here is the related confguration:
ltm node /Common/10.0.35.55 {
address 10.0.35.55}
ltm node /Common/10.0.35.56 {
address 10.0.35.56}
ltm node /Common/10.0.35.57 {
address 10.0.35.57}
ltm pool /Common/IB-APP.app/IB-APP_pool {
app-service /Common/IB-APP.app/IB-APP members { /Common/10.0.35.55:http { address 10.0.35.55 } /Common/10.0.35.56:http { address 10.0.35.56 } /Common/10.0.35.57:http { address 10.0.35.57 } } monitor /Common/tcp slow-ramp-time 300}
ltm rule /Common/IB-APP.app/IB-APP_irule {
app-service /Common/IB-APP.app/IB-APP when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }when HTTP_RESPONSE {
foreach cookie [HTTP::cookie names]
{
HTTP::cookie secure $cookie enable
}
}
}
ltm rule /Common/IB-HTTPs-Rule {
Notify the backend servers that this traffic was SSL offloaded by the F5.when HTTP_REQUEST {
HTTP::header insert "X-Forwarded-Proto" "https";
}
when HTTP_RESPONSE {
foreach mycookie [HTTP::cookie names] { HTTP::cookie secure $mycookie enable}
}
}
ltm rule /Common/IB-OTP.app/IB-OTP_irule {
app-service /Common/IB-OTP.app/IB-OTP when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }}
ltm virtual /Common/IB-APP.app/IB-APP_http {
app-service /Common/IB-APP.app/IB-APP destination /Common/10.0.35.28:http ip-protocol tcp mask 255.255.255.255 persist { /Common/IB-APP.app/IB-APP_cookie_persistence_profile { default yes } } profiles { /Common/IB-APP.app/IB-APP_caching_profile { } /Common/IB-APP.app/IB-APP_http_profile { } /Common/IB-APP.app/IB-APP_lan-optimized_tcp_profile { context serverside } /Common/IB-APP.app/IB-APP_wan-optimized-compression_profile { } /Common/IB-APP.app/IB-APP_wan-optimized_tcp_profile { context clientside } } rules { /Common/IB-APP.app/IB-APP_irule } vlans-disabled}
ltm virtual /Common/IB-APP.app/IB-APP_https {
app-service /Common/IB-APP.app/IB-APP destination /Common/10.0.35.28:https ip-protocol tcp mask 255.255.255.255 persist { /Common/IB-APP.app/IB-APP_cookie_persistence_profile { default yes } } pool /Common/IB-APP.app/IB-APP_pool profiles { /Common/IB-APP.app/IB-APP_clientssl { context clientside } /Common/IB-APP.app/IB-APP_http_profile { } /Common/IB-APP.app/IB-APP_lan-optimized_tcp_profile { context serverside } /Common/IB-APP.app/IB-APP_oneconnect { } /Common/IB-APP.app/IB-APP_wan-optimized_tcp_profile { context clientside } } snat automap vlans-disabled - Stanislas_Piro2
Which cookies are in clear?
- HTTP request
- HTTP response
- HTTPS request
- HTTPS response
When you connect to the application, can you validate the cookies are defined as secure in your browser (firefox is useful to view cookies quickly)?
If some cookies are not secure, can you delete all cookies and try again? are they created again without secure flag?
- siamak8888_2065
I dont know what is the different between these cookies. The cookies which is sent from user browser to f5 (where the traffic should be 443(https) is unencrypted and sent on 80(http) I want this cookie transmitted over HTTPS not HTTP.
the cookies on client web browsers do not have secure flag and when I delete or clear the cookies on my browser the new one is also without secure flag.
should I config an irule and assign it to HTTPS Virtual server? as you can see in the configuration that irule is assigned to HTTP Virtual server. HTTPS virtual server do not have any irule assigned to it.
- Stanislas_Piro2
Did you try to change cookie version as described in HTTP::cookie irule wiki? https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx
when HTTP_RESPONSE { set cookieNames [HTTP::cookie names] foreach aCookie $cookieNames { HTTP::cookie version $aCookie 1 HTTP::cookie secure $aCookie enable } } - siamak8888_2065
I tied this one too and the same result :( user still send their cookies on http protocol instead of https
- Stanislas_Piro2
before each retry, clear cookies in the browser to be sure there is not previously downloaded cookies.
