Forum Discussion
HTTPS -> HTTP using VS
Hi Everyone
I'm facing some challenges trying to get this done: I want to setup a VS that talk with the Clients using SSL and with the Pool Members without SSL, it means HTTPS(443) -> HTTP(80). Apparently everything is configured OK (when I used curl to test the https://[NLBDNSName]/ i got the certificate TLS Handshake is done properly) but the F5 is not going to the servers. Any idea that I can use or where to take a look on this? I'm very newbie in this kind of Load Balancer.
I look for your feedback and I really appreciate your help in this matter.
Regards
Ricardo K
3 Replies
- Samir_Jha_52506
Noctilucent
Looks like you haven't assign client ssl profile to VIP.
-
Create client ssl profile and associate key/cert.
-
Assign clientssl profile to VIP.
Then try to access your URL --> https://urlname.com
- Ricardo_Kaligar
Nimbostratus
Hi
Thanks a lot for your prompt response. The thing is, for any reason, the communication between the clients and the F5 is going OK, the issue is the F5, apparently, don't have the proper configuration and is not going to the server located at the pool.
This is that I got when I used curl to test:
- TCP_NODELAY set
- Connected to urlname (ipaddress) port 443 (0)
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
- TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- Server certificate:
- subject: CN=urlname; emailAddress=nobody@urlname.com
- start date: May 28 19:51:28 2018 GMT
- expire date: May 27 19:51:28 2020 GMT
- common name: urlname (matched)
- issuer: Issuing CA
- SSL certificate verify ok.
GET /dir/ HTTP/1.1 Host: urlname User-Agent: curl/7.50.3 Accept: /
- SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
- Curl_http_done: called premature == 1
- Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
And after that nothing else happened. In my understanding, this means the SSL portion of this scenario is configured OK, however, I don't know why is not going to the servers.
I look for your feedback and I really appreciate your help in this matter.
Kind Regards
Ricardo K
- Samir_Jha_52506
Noctilucent
Have you configure any certificate on backend server?
Capture ssldump for more information
Try to configure default serverssl profile 'serverssl-insecure-compatible' to VIP. Hope vip will start working...
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com