For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Frank_Murray_3's avatar
Frank_Murray_3
Icon for Nimbostratus rankNimbostratus
Nov 02, 2015

Need help with SSL passthrough while using SNAT and an irule

I cannot find the right combination to make this work. I have an irule that basically returns a maintenance page when the active pool members hit 0:   when HTTP_REQUEST { if {[active_members C...
Henrik_Gyllkran's avatar
Henrik_Gyllkran
Icon for Nimbostratus rankNimbostratus
Nov 03, 2015

For the BIG-IP to be able to do HTTP-commands such as HTTP::uri and HTTP::respond it will need the certificate as well, so Ryan's question is a valid one - is SSL passthrough a requirement?

 

What SSL passthrough (or SSL Proxy as the feature is called in the GUI) means is that the client is negotiating the SSL/TLS session with the server and the BIG-IP sits kind of like a "man-in-the-middle" and decrypts the traffic using the same key/certificate as the server. Problem with this is that there is a bunch of restrictions regarding the ciphers being used, and in my experience it's a hassle.

 

So unless your application absolutely requires the client to negotiate directly with the server I think SSL bridging is the preferred solution. That means that the client negotiates the SSL/TLS session with the BIG-IP and then the BIG-IP negotiates another SSL session with the server.