Forum Discussion
Incosistent forwarding of HTTP/2 connections with layered virtual
How I read this HTTP/2 breaks SNI based routing in layered VS setup. Bad, but thanks for this important hint! Another reason why I don't like http/2.
- zamroni777Jun 27, 2024Nacreous
simply do the ssl temination in tier1 vserver.
the new udp based http/3 uses same coalescing mechanism.
it's faster than tcp based http v1.1/v2.
i don't think it should be avoided as youtube, facebook and many cdn use it.- svsJun 28, 2024Cirrostratus
I agree that we can't ignore that, just because it breaks our beloved concepts and new technologies often require new methods and concepts. That's fine.
However, my main caveat is, that I need to re-encrypt between tier1 and tier2 virtual, if I don't want to create a security gap or provoke legitimate discussions with the guys from information security, by transporting the traffic unencrypted between both virtuals. I'm talking about the usage of tcpdump on the BIG-IP. Yes, I'm aware, that each encryption on the BIG-IP can be dumped and decrypted. But there's a difference from the information security point of view, whether I need to invest some effort to get unencrypted traffic (which could be formally prohibitted) or if my configuration is "open like barn door".
zamroni777are you aware that this will solve the issue? Do you have practical experience with this configuration? The descriptions from F5 require customized (server) SSL profiles to "full-proxy HTTP/2". Why do you think that enabling HTTP/2 on tier2 virtual wont result in the same issue? If the same TCP connection is used, why should TLS be re-negotiated by bringing the termination to the tier1 virtual? This would be required to correctly forward the connection to the correct tier2 virtual via SNI-Routing. It's still the same (outer) TCP connection and probably the same (wildcard) certificate...
- zamroni777Jun 28, 2024Nacreous
as long as t1 vserver does ssl termination, we can use either http or https between the t1 and t2.
t1 forwards to t2 based on request's http host header. instead of the sni.
t1 can see http host header because t1 terminates client's ssl sessions.i myself is not fan of tiering as we have to buy t1 ltm only for it to forward to another/t2 ltm while the t2 actually can do what the t1 does.
i see bigip as application layer oriented device, not network layer oriented like router etc.
so, put bigip in servers's subnet using private ip nat-ed by upfront router/netfw, run ltm and waf in same vservers and forward to pools accordingly.
regarding ips/ids needs to decrypt ssl to do inspection, i think just let waf like asm does the app layer inspection.
waf can do more than ips/ids while usually also cheaper.
https://www.f5.com/pdf/white-papers/big-ip-asm-ips-differences-wp.pdf
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com