Forum Discussion
NimbostratusHTTPS Redirect with no SSL termination on F5
Hi, I am trying to setup HTTPS redirect so all the traffic to https://www.example.com/ go to https://www.example.com/guest, but this HTTPS virtual server is not using F5 to do SSL offload, so F5 to backend server is HTTPS not HTTP.
I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.
I wonder if F5 can do this kind of redirect, with iRule or something else.
Thanks in advance!
10 Replies
- nitass
Employee
I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.
can you post the configuration?
tmsh list ltm virtual virtual_server_name tmsh list ltm pool pool_name
Hummingbird_143Here is the config: tmsh list ltm pool airgroup-https-pool ltm pool airgroup-https-pool { members { 10.79.107.228:https { priority-group 1 session monitor-enabled } 10.68.118.138:https { priority-group 2 session monitor-enabled } } min-active-members 1 monitor https } tmsh list ltm virtual airgroup-https-vs ltm virtual airgroup-https-vs { destination 10.68.220.25:https ip-protocol tcp mask 255.255.255.255 pool airgroup-https-pool profiles { tcp { } } snat automap translate-address disabled } And I'll try the client/server profile as suggested by Nathan.
natheCirrocumulus
Hummingbird, You'll need a http profile too if you want to do redirection.
nitass_89166Noctilucent
I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.
can you post the configuration?
tmsh list ltm virtual virtual_server_name tmsh list ltm pool pool_name- Hummingbird_143Here is the config: tmsh list ltm pool airgroup-https-pool ltm pool airgroup-https-pool { members { 10.79.107.228:https { priority-group 1 session monitor-enabled } 10.68.118.138:https { priority-group 2 session monitor-enabled } } min-active-members 1 monitor https } tmsh list ltm virtual airgroup-https-vs ltm virtual airgroup-https-vs { destination 10.68.220.25:https ip-protocol tcp mask 255.255.255.255 pool airgroup-https-pool profiles { tcp { } } snat automap translate-address disabled } And I'll try the client/server profile as suggested by Nathan.
- natheHummingbird, You'll need a http profile too if you want to do redirection.
- nathe
Hummingbird,
Yes f5 can do this. Apply a Client SSL profile to the VS to decrypt/terminate the SSL traffic. Use the certificate for the hostname required i.e. www.example.com.
If you then want to re-encrypt to the backend then you can simply apply the default serverssl Server SSL profile to the VS too.
As for redirecting the uri then you can use an iRule, else a HTTP Class Profile (applied to the VS) or a Local Traffic Policy too (if using TMOS 11.4 and above).
Hope this helps,
N
- Kevin_Stewart
In short, if you do not decrypt the SSL at the proxy (F5), you cannot have the proxy issue an HTTP redirect. If you are willing to decrypt (and optionally re-encrypt) the data at the proxy, then you can absolutely do an HTTP redirect. Based on your question, I'd recommend revisiting the decrypt/re-encrypt option. That requires client and server SSL profile applied to the virtual server. Are you requiring client certificate at the web server, or any specific SSL requirements that may be causing issues in the re-encryption?
- Hummingbird_143
Thanks everyone for the help, and I got this working with both client and server SSL profile applied to the https virtual server.
Thanks again, DevCentral is really a unique place comprised of super-smart users who know just about everything there is to know about F5 technology, most time I can find my answer from DevCentral instead of need to contact F5 support.
- nathegood to hear, thanks for letting us know
