Forum Discussion

Ricardo_Kaligar's avatar
Ricardo_Kaligar
Icon for Nimbostratus rankNimbostratus
May 31, 2018

HTTPS -> HTTP using VS

Hi Everyone

 

I'm facing some challenges trying to get this done: I want to setup a VS that talk with the Clients using SSL and with the Pool Members without SSL, it means HTTPS(443) -> HTTP(80). Apparently everything is configured OK (when I used curl to test the https://[NLBDNSName]/ i got the certificate TLS Handshake is done properly) but the F5 is not going to the servers. Any idea that I can use or where to take a look on this? I'm very newbie in this kind of Load Balancer.

 

I look for your feedback and I really appreciate your help in this matter.

 

Regards

 

Ricardo K

 

application delivery
BIG-IP
iRules

3 Replies

Sort By
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    May 31, 2018

    Looks like you haven't assign client ssl profile to VIP.

     

    1. Create client ssl profile and associate key/cert.

       

    2. Assign clientssl profile to VIP.

       

    Then try to access your URL --> https://urlname.com

     

    • Ricardo_Kaligar's avatar
      Ricardo_Kaligar
      Icon for Nimbostratus rankNimbostratus
      May 31, 2018

      Hi

       

      Thanks a lot for your prompt response. The thing is, for any reason, the communication between the clients and the F5 is going OK, the issue is the F5, apparently, don't have the proper configuration and is not going to the server located at the pool.

       

      This is that I got when I used curl to test:

       

      • TCP_NODELAY set
      • Connected to urlname (ipaddress) port 443 (0)
      • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
      • successfully set certificate verify locations:
      • CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
      • TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
      • TLSv1.2 (OUT), TLS handshake, Client hello (1):
      • TLSv1.2 (IN), TLS handshake, Server hello (2):
      • TLSv1.2 (IN), TLS handshake, Certificate (11):
      • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      • TLSv1.2 (IN), TLS handshake, Server finished (14):
      • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      • TLSv1.2 (OUT), TLS handshake, Finished (20):
      • TLSv1.2 (IN), TLS change cipher, Client hello (1):
      • TLSv1.2 (IN), TLS handshake, Finished (20):
      • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      • Server certificate:
      • subject: CN=urlname; emailAddress=nobody@urlname.com
      • start date: May 28 19:51:28 2018 GMT
      • expire date: May 27 19:51:28 2020 GMT
      • common name: urlname (matched)
      • issuer: Issuing CA
      • SSL certificate verify ok.

      GET /dir/ HTTP/1.1 Host: urlname User-Agent: curl/7.50.3 Accept: /

       

      • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
      • Curl_http_done: called premature == 1
      • Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

      And after that nothing else happened. In my understanding, this means the SSL portion of this scenario is configured OK, however, I don't know why is not going to the servers.

       

      I look for your feedback and I really appreciate your help in this matter.

       

      Kind Regards

       

      Ricardo K

       

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent
      May 31, 2018

      Have you configure any certificate on backend server?

       

      Capture ssldump for more information

       

      Try to configure default serverssl profile 'serverssl-insecure-compatible' to VIP. Hope vip will start working...