Forum Discussion

Jack_Wang_168_2's avatar
Jack_Wang_168_2
Icon for Nimbostratus rankNimbostratus
Jul 27, 2015

Https health monitor required authentication to work but back-end servers do not need authentication

LTM version:BIG-IP 10.2.4 Build 771.0 Hotfix HF6 Issue: back-end servers do not require authentication but The https health monitor required authentication to mark back-end servers UP.

 

What I did to test: 1) I ran "curl -v -k -L https://10.220.200.126:50001/startPage" and got response of "200 OK" without any user ID and password 2) I use microsoft wget utility to run https get request also got the "200 OK response with anonymous method 3) LTM https health monitor with the following setting a) TYPE: https b) Send String: GET /startPage\r\n c) Receive String: 200 OK d) Cypher List: DEFAULT:+SHA:+3DES:+kEDH

 

Result: Health check failed. After adding user ID and password, health check success and all back-end servers marked up. Why is that? Please help.

 

Thanks

 

Jack Wang

 

application delivery
availability
deployment
LTM
TMSH

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 27, 2015

    I'm guessing the only way to know for sure is to watch the traffic. Since this is SSL you'll need to either run ssldump from the command line (with the server's SSL private key):

    ssldump -k [path to server's private key] -AdNn -i 0.0 port 443 and host [server's IP]

    or dump to a file and inspect in wireshark (also with the server's private key):

    tcpdump -lnni 0.0 -s0 port 443 and host [server's IP] -w [path to write file.pcap]

    I'm a bit curious about the -L option in your first cURL statement. That option allows cURL to follow 30x redirects. Does your application send a redirect from this initial /startPage?

  • Jack_Wang_168_2's avatar
    Jack_Wang_168_2
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2015

    Hi Kevin, I use httpwatch and Microsoft wget to test. Both Methods show no 30x code. As far as TCPdump, I will need to make request to application team for private key. Will get back on that. By the way, question on cipher list, I don't remember that applying particular cipher suit will automatic turn on basic authentication requirement. Right? At first, I thought the application team lie to me about don't need the authentication to access the page. But, with the curl command running from LTM prove that no authentication required. The difference is that I didn't have cipher suit in the curl command line.

     

    Thanks Jack Wang

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 27, 2015

    I don't remember that applying particular cipher suit will automatic turn on basic authentication requirement. Right?

     

    Correct. That has nothing to do with application authentication.

     

    The difference is that I didn't have cipher suit in the curl command line

     

    The HTTPS monitor lets you specify the cipher string, while cURL and wget just do it for you. You can indeed specify a cipher string in these utilities, but regardless the client (cURL) is definitely negotiating SSL with a set of supported ciphers.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 27, 2015

    Good question. The only significant difference between a built-in monitor and a command line tool is "who" is doing the work. The built-in monitors general use data plane processes, while command line tools use the management plane CPUs. Otherwise the built-in HTTP monitor will do the same thing the cURL command will do.