Forum Discussion
NimbostratusHTTP request/URL rewrite with ssl offload
Hello Everyone,
I have a pool of web servers on my internal corporate network running a password reset service using https (certificate issued by corporate CA) and being load balanced through the internal LTM (No SSL offload taking place on the LTM).
This service only responds if we use the url to access it, if we use the IP Address it does not respond.
Now my task is to publish this service on the internet (through DMZ LTMS) using a Public Certificate and a different url. However I want to rewrite the url received from the internet users (after doing a SSL Offload) while forwarding the request to the servers in the corporate VLAN.
Internal URL: preset.internal.org.com Internal SSL Certificate Subject: preset.internal.org.com Certificate Authority: Corporate CA
External URL: preset.org.com Internal SSL Certificate Subject: preset.org.com Certificate Authority: Public CA
I have tried the usual iRules with the "replace host" functions but I am unable to obtain my objective.
Kindly help me, Thanks!
5 Replies
- Kevin_Stewart
Employee
This service only responds if we use the url to access it, if we use the IP Address it does not respond.
Is this for browser clients, and is the above a function of a layer 7 (HTTP) mechanism (Host header filtering), or a layer 6 (SSL) certificate subject filter?
Does the backend service still listen on HTTPS, and if so are you re-encrypting with a server SSL profile?
Mansab_Mahmood_Hi Kevin,
First off thanks for your response.
For question 1, yes, this service is for browser clients and as far as I have come to know from the systems team, this is a some mechanism of http header filtering. For your second question, I believe that service still listens on 443 on an L4 level and i tried it both ways i.e. with serverssl profile and without it as well, didnt make any difference.
Regards, MM
- Kevin_Stewart
First and most important, you cannot evaluate and/or touch any layer 7 HTTP data (headers, cookies, URIs, URLs, etc.) if you do not terminate the SSL at the proxy. You can optionally re-encrypt to the server, but you must at the very least have a client SSL profile applied to the F5 VIP to decrypt the SSL. So to decrypt and re-encrypt, you need both client and server SSL profiles applied to the VIP. Once you have that in place, and working, you can apply an iRule to change the HTTP Host header in the request.
- Mansab_Mahmood_
Kevin,
That is how I attempted it before posting here.
On the external LTM (working as reverse proxy) we have a clientssl profile with the respective certificate for offload and a serverssl profile to do the re-encryption. On top of this setting I was applying a simple "replace host header" iRule to do the change but things were still not working.
I was wondering maybe this has to do with some settings for the stream profile maybe ...
- Kevin_Stewart
In the absence of any iRules, if you can access the application through a VIP that has both client and server SSL profiles, then you can reasonably assume that SSL offload and re-encryption is working properly. If your iRule is not replacing the Host header as desired, then I'd have to suspect the iRule logic itself. Can you post that iRule here?
