For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

menzo_110968's avatar
menzo_110968
Icon for Nimbostratus rankNimbostratus
Aug 04, 2010

https virtual server terminating ssl at end servers side

Hi,

 

I am new in F5, I have some problem since several days in putting in place https virtual server terminating ssl at end servers (https end to end).

 

I have configure:

 

- 1 virtual server listening: https://10.0.0.1:10095

 

- 1 pool servers with 2 nodes

 

- 1 ssl client profile with certificat and key imported from end server

 

- no ssl server profile

 

 

When I run tests with the url: https://10.0.0.1:10095, I get the error below.

 

It seem that the F5 is seeing http request instead of https.

 

 

////////////////////////

 

Bad Request

 

Your browser sent a request that this server could not understand.

 

 

Reason: You're speaking plain HTTP to an SSL-enabled server port.

 

Instead use the HTTPS scheme to access this URL, please.

 

 

Hint: https://10.0.0.1:10095/

 

//////////////////////

 

 

I also create an irule redirecting http to https, but it still not working.

 

 

when HTTP_REQUEST {

 

If it's not an HTTPS connection, send a redirect

 

if {not ($https)}{

 

HTTP::redirect https://[HTTP::host]:10095

 

}

 

}

 

when HTTP_RESPONSE {

 

 

if {[HTTP::is_redirect]}{

 

Rewrite the Location header from http to https

 

HTTP::header replace Location [string map -nocase {http:// https://} [HTTP::header value Location]]

 

}

 

}

 

 

 

Thank you for your help.

 

Maybe, I missed something on my configuration or a mistake.
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 04, 2010
    Do you want to pass the SSL through unencrypted? If so, then you shouldn't add a client SSL or HTTP profile to the VS. If you want to decrypt and then re-encrypt the SSL, then you must add a client and server SSL profile to the VS.

     

     

    Aaron
  • menzo_110968's avatar
    menzo_110968
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2010
    I want to decrypt and then re-encrypt the SSL.

     

    - I already tried with both client and server SSL profile (same cert/key), but it didn't work.

     

    Whatever the solution, I need to make it work.

     

     

    Thank you for your help.

     

    Menzo
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Aug 04, 2010
    So if you want to decrypt and then re-encrypt you will definitely need both a client and server ssl profile setting up, as Aaron mentioned previously.

     

     

    If that still isn't working then, at a guess, could it be that you are listening on a random port (other than ssl port 443)? How have you setup the service port on the two pool members - are they set as 443? What port on the physical node itself is listening for ssl traffic? If that is only set as 443 then I imagine it may presume your random port is http, hence the failure. Or it could be port translation not checked?

     

     

    This is totally a shot in the dark but thought it still worth mentioning - you never know.

     

     

    N