Forum Discussion

Ricardo_Kaligar's avatar
Ricardo_Kaligar
Icon for Nimbostratus rankNimbostratus
May 31, 2018

HTTPS -> HTTP using VS

Hi Everyone   I'm facing some challenges trying to get this done: I want to setup a VS that talk with the Clients using SSL and with the Pool Members without SSL, it means HTTPS(443) -> HTTP(80). ...
application delivery
BIG-IP
iRules
Samir_Jha_52506's avatar
Samir_Jha_52506
Icon for Noctilucent rankNoctilucent
May 31, 2018

Looks like you haven't assign client ssl profile to VIP.

 

  1. Create client ssl profile and associate key/cert.

     

  2. Assign clientssl profile to VIP.

     

Then try to access your URL --> https://urlname.com

 

  • Ricardo_Kaligar's avatar
    Ricardo_Kaligar
    Icon for Nimbostratus rankNimbostratus
    May 31, 2018

    Hi

     

    Thanks a lot for your prompt response. The thing is, for any reason, the communication between the clients and the F5 is going OK, the issue is the F5, apparently, don't have the proper configuration and is not going to the server located at the pool.

     

    This is that I got when I used curl to test:

     

    • TCP_NODELAY set
    • Connected to urlname (ipaddress) port 443 (0)
    • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    • successfully set certificate verify locations:
    • CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
    • TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
    • TLSv1.2 (OUT), TLS handshake, Client hello (1):
    • TLSv1.2 (IN), TLS handshake, Server hello (2):
    • TLSv1.2 (IN), TLS handshake, Certificate (11):
    • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    • TLSv1.2 (IN), TLS handshake, Server finished (14):
    • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    • TLSv1.2 (OUT), TLS handshake, Finished (20):
    • TLSv1.2 (IN), TLS change cipher, Client hello (1):
    • TLSv1.2 (IN), TLS handshake, Finished (20):
    • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    • Server certificate:
    • subject: CN=urlname; emailAddress=nobody@urlname.com
    • start date: May 28 19:51:28 2018 GMT
    • expire date: May 27 19:51:28 2020 GMT
    • common name: urlname (matched)
    • issuer: Issuing CA
    • SSL certificate verify ok.

    GET /dir/ HTTP/1.1 Host: urlname User-Agent: curl/7.50.3 Accept: /

     

    • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
    • Curl_http_done: called premature == 1
    • Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

    And after that nothing else happened. In my understanding, this means the SSL portion of this scenario is configured OK, however, I don't know why is not going to the servers.

     

    I look for your feedback and I really appreciate your help in this matter.

     

    Kind Regards

     

    Ricardo K

     

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    May 31, 2018

    Have you configure any certificate on backend server?

     

    Capture ssldump for more information

     

    Try to configure default serverssl profile 'serverssl-insecure-compatible' to VIP. Hope vip will start working...