Hello, Up until now using the F5 has been fairly straight forward. Adding HTTPS certificate support for incoming IE connections however has got me stumped. I have watched the online webinar and tried many variations to get it working without success. What I am trying to do is to take a working HTTP connection through the F5 to a pool consisting of a pair of Tomcat servers and convert the virtual server connection from HTTP to HTTPS. Wireshark traces show the F5 and the Tomcat communicating with each other and all of the status balls are green. How do I go about debugging my problem? Where do I look to find out what is not happening? Regards, Mark

MarkM, Quick question, are you talking about putting SSL on the front side of the connection or the back side: Client ---> Virtual server (front side) Virtual Server ------> Apache pool members (back side) Joshm

Front side, client to F5. Not F5 to the balanced server in the pool.

Sweet! Alright, here's my favorite way to do it, everyone has a flavor of it I'm sure. 1. Create a new virtual server, a clone of the port 80 Virtual server. For this example, I'll call it clone-https --Key difference: This one listens on port 443. 2. Import the certificate and key into the F5. Local Traffic -> certificate list ->import 3 . Create a client SSL profile , local traffic ->profiles -> ssl -> client (http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=18888170) . That is where you are going to define the certificate and key. For the example, I'll call the profile coolssl 4. Assign the client ssl profile to the Virtual server clone-https. Go into the virtual server properties, change it from basic to advanced, and there you should see the client ssl profile option. Click update... and boom. Try to hit the ssl version of the site. workie? hopefully. joshm

Hello Josh, Thank you for the clear instructions. Unfortunately, no workie. I even created a new certificate using openssl. I get the following error "Internet Explorer cannot display the webpage". If I change the service port back to 80 and then remove the ssl client profile, then it works. I need some advice on how to debug this one. I installed wireshark on my backend tomcat 6 server and it shows tcp connections going between the tomcat server and the F5. Mark

MarkM, Huh. So when I am troubleshooting ssl, I typically use openssl to see if the certificate is being handed out: openssl s_client -connect VIPIP:443 If the client is being handed out, then the front end connection is most likely good, and there is just an issue with the pool. For further checking, you can run tcpdump on the F5 unit itself. tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap That file can be openned in wireshark. Does the openssl connection work? -Josh

HTTPS Problem | DevCentral

nitass
Employee
Jan 24, 2012
Would you please explain what I just did to make it work?i suspect http redirect from pool might not be rewritten correctly since pool is not listening on default port 80.

Rewriting Redirects by Deb

http://devcentral.f5.com/Tutorials/...rects.aspx
MarkM_63051
Nimbostratus
Jan 24, 2012
Can the http Redirect Rewrite = ALL be built into an iRule? I need to create rules for my pools that use cookie persistance.

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/220/Rewriting-Redirects.aspx

nitass

Employee

Jan 24, 2012

Can the http Redirect Rewrite = ALL be built into an iRule?yes

e.g.

root@ve1100(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
    vlans-disabled
}
root@ve1100(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:8080 {
            address 200.200.200.101
        }
    }
}
root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   if {[HTTP::is_redirect]} {
      HTTP::header replace Location [string map {"http://200.200.200.101:8080" "https://172.28.19.252"} [HTTP::header Location]]
   }
}
}

[root@ve1100:Active] config  curl -I http://200.200.200.101:8080/test
HTTP/1.1 302 Found
Date: Tue, 24 Jan 2012 23:17:46 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://200.200.200.101:8080/redir/test
Content-Type: text/html; charset=iso-8859-1

[root@ve1100:Active] config  curl -Ik https://172.28.19.252/test
HTTP/1.1 302 Found
Date: Tue, 24 Jan 2012 23:17:57 GMT
Server: Apache/2.2.3 (CentOS)
Location: https://172.28.19.252/redir/test
Content-Type: text/html; charset=iso-8859-1

hooleylist
Cirrostratus
Jan 25, 2012
Nice work Nitass :)

Aaron

Forum Discussion

HTTPS Problem

Recent Discussions

ports are showing open on online scanning tool

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

Related Content

Monitor problem

Introducing QUIC and HTTP/3

SDN's Eventually Consistent Network Problem

Routing problem for connect() in iRule

iapps f5.automated_backup problem

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS