For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ckteur_147055's avatar
ckteur_147055
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

HTTP PROFILE USE ?

Hello,

 

I should to know how works HTTP Profile because when I join my VIP without http profile its ok but with http profile it doesn't work ....

 

For example, in my case a web client connect it on HTTPS VIP (not ssl profile because the big-ip not re-encrypt and not SSL offload which realized by server) without problem; but I would like use an irule to choose a pool in function of http header, so I'm obligated to use an http profile for this ! And when activate my http profile, is not ready ?

 

Thanks for help.

 

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 02, 2014

    Are you saying that this is an HTTPS application in which you are not offloading and/or re-encrypting SSL to the server? Passing SSL through the VIP?

     

    If yes, then you cannot apply an HTTP profile. You must offload the client side SSL in order to be able to use an HTTP profile and subsequently parse HTTP data.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 02, 2014

    ssl offload is required because http profile has to see unencrypted traffic.

     

  • ckteur_147055's avatar
    ckteur_147055
    Icon for Nimbostratus rankNimbostratus
    Jul 02, 2014

    Thanks for you replies nitass and Kevin !

     

    Ok I understand that if I want to use an http profil in my case (HTTPS VIP) I must configured SSL offload.

     

    But is not possible for me because in the architecture choosed is the server (CAS Exchange Server) which decrypt traffic and the SSL offload is deactivated on and must stay on this state.

     

    So will not use the indicated Irule .... I dont't know how I resolve my problem:

     

    One vip with several different applicative services behind with the same tcp port ! If you know, it's Exchange webservices (OWA, OA, AS, EWS etc.) on HTTPS with a pool and monitor dedicated.

     

    Any idea ?

     

  • ekintulga_15690's avatar
    ekintulga_15690
    Icon for Nimbostratus rankNimbostratus
    Jul 02, 2014

    To use the HTTP profile on a HTTPS VIP, you need to have your SSL certificates in place (Client and Server). Then, F5 will be able to decrypt the SSL traffic and re-encrypt it (optionally). To apply the iRule, F5 should be able to see the payload and IP headers.

     

    Hope my answer will help you to sort your issue.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 02, 2014

    Any specific reason why you cannot decrypt and re-encrypt at the VIP? Unless you're doing certificate-based mutual authentication directly on the CAS server, you can usually bridge the SSL.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 03, 2014

    The architect take decision to not use SSL encryption on BIG-IP... The CAS server decrypt the client traffic and is too late to change the configuration .......

     

    That certainly makes it difficult. Without the ability to see the unencrypted OSI layer 7 traffic, you're not going to be able to make any routing decisions based on it. You could potentially try ProxySSL:

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.htmlconceptid

     

    But your mileage may vary. The better option, in my humble opinion, is to explain to the architect the performance and security benefits of offloading SSL at the BIG-IP. If nothing else, it makes persistence MUCH more reliable.