Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Jun 18, 2014

HTTP Profile breaks HTTPS Connections

Hi,

 

We want to setup SSL forwarding for our HTTPS virtual server. If I set a no HTTP profile and setup a bypass by selecting none for both client and server SSL the site works properly.

 

If I apply a HTTP profile with this bypass the HTTPS breaks. Any ideas?

 

  • If you are wanting F5 to do a passthru, where your actual servers will be doing the encryption and decryption, select Type = Performance (Layer 4) on your VIP. Now, if you want F5 to do the SSL handshake for you, you will have to create a client side SSL profile on F5, and import your certificate and key onto F5. F5 will represent your server for the SSL session, and you have the option of setting up your backend to either talk HTTP or HTTPS.

     

  • If you are wanting F5 to do a passthru, where your actual servers will be doing the encryption and decryption, select Type = Performance (Layer 4) on your VIP. Now, if you want F5 to do the SSL handshake for you, you will have to create a client side SSL profile on F5, and import your certificate and key onto F5. F5 will represent your server for the SSL session, and you have the option of setting up your backend to either talk HTTP or HTTPS.

     

  • That worked! But don't I need a HTTP profile to do load balancing with cookies? How else could I remedy this issue? I have it setup right now for source address

     

  • Your load balancing option is setup in the pool. So which ever pool you assign to the L4 VIP, go to the members tab, and select your LB method. You can then setup your Default Persistence Profile to 'cookie" in your VIP object under the resource tab.

     

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus

    Yes - you'll want a standard VS, client-SSL profile with app cert/key, server-SSL profile (if backend is also SSL - none if backend is HTTP), HTTP profile, and a cookie persistence profile.

     

    Think of profiles as the F5 interacting with traffic at that 'level' - in order to do cookie persistence, the F5 needs to interact with HTTP (http-profile), in order to interact via HTTP, the F5 needs to decrypt the traffic (client-ssl) profile