Forum Discussion

Ireda's avatar
Ireda
Icon for Cirrostratus rankCirrostratus
Apr 09, 2023

HTTPS virtual server with custom TCP port

Hi, How to configure an HTTPS virtual server with a custom TCP port Example: https://XZY.org:8080

Do we need to change the F5 listening port from 443 to 8080 only or do we need other steps?

Would that require an HTTP profile? I noticed that if I apply an HTTP profile, the VIP fails to open

ex:

1) https://xyz.org:8080 with HTTP profile, no SSL client, and no SSL server profiles does not open and shows the error "This site can't be reached"

2) https://xyz.org:8080 with no HTTP profile, no SSL client, and no SSL server profiles open as "not secure" and we need to apply advanced WAF.

 

 

  • Ireda This would only require having your virtual server (VS) listening on the respective destination IP and port 8080. The reason this doesn't work for you when you apply an HTTP profile is because you are not performing SSL termination on the F5 and since the traffic is encrypted the F5 doesn't know what to do so the connection fails. The reason you are most likely receiving an "not secure" is because the servers that you are balancing to either don't have a trusted CA SSL certificate installed, an SSL certificate that doesn't match the name in your URL, or an expired SSL certificate installed. So as an example, if you have SSL certificate for *.example.com installed on the destination servers and you use xyz.org in the URL, even though that points to the same destination IP your browser sees the missmatch and gives you that not secure error. You should be able to validate the SSL certificate that you are being provided by clicking the lock icon next to the URL in your browser or using the following curl command.

    curl -Ivk "https://<url>"

    Also, you do not have to configure an HTTP profile unless you are doing something to look at the HTTP header such as cookie persistence or attempting to balance based on host or uri. If you woud like to do that on the F5 just make sure you perform SSL termination on the F5 VS in question.

    • Ireda's avatar
      Ireda
      Icon for Cirrostratus rankCirrostratus

      Thanks for your reply, but regarding VIP port will be 8080 and protocol will be "Other" or what ?

      Also, How can I do F5 SSL termination on the VS? you meaning assign SSL Profile for client side. 

      • Ireda If you enter the port it should auto-select the appropriate setting. Are you referring to the drop down to the right of the service port that says HTTPS or are you referring to the protocol just below that under the configuration section that should set itself to TCP? If you want to perform SSL termination and pass the traffic decrypted to the pool members you only configure an SSL client profile with a valid SSL cert, key, and intermediate if necessary. If you want to pass encrypted traffic to the pool member after the F5 has done what it needs to you can configure both a SSL client profile and SSL server profile, the SSL server profile can be the default serverssl or other profiles that are already on the F5. You only have to adjust the SSL server profile if you only want to use certain SSL ciphers as well as a few more options.