For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Frank_Murray_3's avatar
Frank_Murray_3
Icon for Nimbostratus rankNimbostratus
Nov 02, 2015

Need help with SSL passthrough while using SNAT and an irule

I cannot find the right combination to make this work. I have an irule that basically returns a maintenance page when the active pool members hit 0:

 

when HTTP_REQUEST { if {[active_members COAWEBCLNX_8038_POOL] == 0 } { switch [HTTP::uri] { "/top_banner_jpg" { HTTP::respond 200 content [ifile get "top_banner_jpg"]"Content-Type" "image/png" } default { HTTP::respond 200 content [ifile get "Under_Maintenance_page3_html"] } } } }

 

I need SSL pass-through to work. The destination port needs to translate from 443 to port 8038. AND I'm using SNAT automap.

 

HELP!!!!!!!!!

 

6 Replies

  • Ryannnnnnnnn's avatar
    Ryannnnnnnnn
    Icon for Altocumulus rankAltocumulus
    Nov 03, 2015

    Why is SSL pass through a requirement? Can you not perform SSL bridging if there is a requirement to have an encrypted connection between the BIG-IP and the pool members?

     

  • Frank_Murray_3's avatar
    Frank_Murray_3
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2015

    uh.....can I? The certificate is on the servers, that's my constraint.

     

    Tell me more....

     

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2015

    For the BIG-IP to be able to do HTTP-commands such as HTTP::uri and HTTP::respond it will need the certificate as well, so Ryan's question is a valid one - is SSL passthrough a requirement?

     

    What SSL passthrough (or SSL Proxy as the feature is called in the GUI) means is that the client is negotiating the SSL/TLS session with the server and the BIG-IP sits kind of like a "man-in-the-middle" and decrypts the traffic using the same key/certificate as the server. Problem with this is that there is a bunch of restrictions regarding the ciphers being used, and in my experience it's a hassle.

     

    So unless your application absolutely requires the client to negotiate directly with the server I think SSL bridging is the preferred solution. That means that the client negotiates the SSL/TLS session with the BIG-IP and then the BIG-IP negotiates another SSL session with the server.

     

  • Frank_Murray_3's avatar
    Frank_Murray_3
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2015

    So, at the risk of sounding stupid here- that means a cert on the F5 in addition to the cert on the server right? Can the cert and key be the same ones on both? If I can find the cert on the server, can I just import into the F5?

     

    Or do the certs have to be completely different?

     

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Nov 03, 2015

    Yes, for encryption all the way both the BIG-IP and the server needs cert and key. And they can be the same or different, doesn't matter. And yes, if you can get the cert and key from the server you can import it into the BIG-IP, it has the capability to import many different formats.

     

    And also, note that in most cases you don't even need a particular cert and key on the server because the BIG-IP does not by default verify that it is issued by a proper CA and so on. One of the point of handling SSL on the BIG-IP is that you get a centralized certificate management.