Forum Discussion

Dayesh_263997's avatar
Dayesh_263997
Icon for Nimbostratus rankNimbostratus
Sep 27, 2018

HTTP or HTTPs on backend servers if SSL Offloading is used

Hi All,

 

Please consider below line diagram as per my setup.

 

Client ===HTTPS===LTM===HTTP===Web SERVERs or DB servers

 

The server team can enable either HTTP or HTTPs on the backend servers for request incoming for accessing the content. Ideally, can you advise HTTP or HTTPs is recommended to enable on the web server to listen to for achieving this as connectivity between LTM and Server will be HTTP connection, however , the actual URL accessed by the client is HTTPs

 

Regards,

 

Dayesh

 

application delivery
LTM
  • Ryan_80361's avatar
    Ryan_80361
    Icon for Cirrostratus rankCirrostratus
    Sep 27, 2018

    If you intend to configure SSL offload on the LTM then you should configure the pool members to use HTTP, not HTTPS.

     

    • Dayesh_263997's avatar
      Dayesh_263997
      Icon for Nimbostratus rankNimbostratus
      Sep 27, 2018

      Hi Ryan,

       

      Thanks for the response.

       

      Does that mean the TOMCAT web server will enable HTTP service and not HTTPs at their end?

       

      Regards,

       

      Dayesh

       

  • Ryannnnnnnnn's avatar
    Ryannnnnnnnn
    Icon for Altocumulus rankAltocumulus
    Sep 27, 2018

    If you intend to configure SSL offload on the LTM then you should configure the pool members to use HTTP, not HTTPS.

     

    • Dayesh_263997's avatar
      Dayesh_263997
      Icon for Nimbostratus rankNimbostratus
      Sep 27, 2018

      Hi Ryan,

       

      Thanks for the response.

       

      Does that mean the TOMCAT web server will enable HTTP service and not HTTPs at their end?

       

      Regards,

       

      Dayesh

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 27, 2018

    I would probably argue that, with respect to increased security concerns and the "zero trust" movement, that a better practice would be to re-encrypt to the servers. You of course don't get the full performance benefit of SSL offload, but there's nothing that says you can't use 1K RSA keys on the inside to the servers, and 2K keys and/or ECC to the clients.

     

    If you did re-encrypt to the Tomcat servers, it literally doesn't matter what certificates you apply to the servers, as the F5 will by default ignore server side certificate validation.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 27, 2018

    SSL bridging means that you terminate client side TLS on the BIG-IP, and then re-encrypt to the server. This requires client and server SSL profiles. The client SSL profile should of course have your client-facing server certificate and private key, and have proper cipher support. The server side, because the internal TLS connection isn't validated by default, can be very simple. In fact you can usually get away with using the built-in "serverssl" profile on the LTM VIP.

     

    So then, yes, the Tomcat server is listening on HTTPS, the BIG-IP VIP is listening on HTTPS, but traffic is decrypted on the BIG-IP.