Hi all ,I am new in the F5 administration, I share my configuration here, I hope someone can help me, I have configured a VS as standard, with a persistence session (JSESSION), via an iRule, however the certificate is carried by the backend server, my question could the F5 describe the content of the traffic, in order to redirect to the target server and take advantage of the session persistence required by the application ? Thanks ;

you are welcome.Here is an article on JSESSIONID persistence, in case you need it :https://support.f5.com/csp/article/K7392

If the cert is on the server that means your vip can not decrypt the traffic and it will not be able to read/see the cookie. To be able to use this persistence type your vip will need to have a cert and terminate the ssl session.

First, you need to make the VIP decrypt the traffic. So you need an SSL certificate to terminate the HTTPS sessions on the VIP side. After that, you will need an irule. Here is an example: The following iRule example illustrates how the BIG-IP system can find a cookie called jsessionid in the first response from the server and add a persistence record with the value of that cookie. Subsequent client requests containing the same cookie name and value pair persists to the same pool member. when HTTP_RESPONSE { if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] } } when HTTP_REQUEST { if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } } https://support.f5.com/csp/article/K7392 If you need the traffic to the server from the F5 to be also encrypted you will need an SSL server profile. https://support.f5.com/csp/article/K14806 here is how to export a SSL cert: https://manage.accuwebhosting.com/knowledgebase/1240/How-to-export-an-SSL-certificate-from-Apache-server.html here is how to import it: https://my.f5.com/manage/s/article/K14620

HI, Thanks for you reply , I also had this doubt, but I wanted to have confirmation , so in addition to the certificate configured on the server, I must also install another one on the F5, or will a single certificate on the VIP F5 suffice?Regards,

Usually, it is enough to have 1 cert on the VIP. This way the traffic between the client and the VIP is secured.But if you want you can have a cert on the server. This way also the traffic between the F5 device and the server is secured. There are scenarios where this is needed. There are security teams that ask that all traffic is secured (encrypted.)

Persistence session | DevCentral

mihaic
MVP
Jan 03, 2023
you are welcome.
Here is an article on JSESSIONID persistence, in case you need it :
https://support.f5.com/csp/article/K7392
mihaic
MVP
Jan 02, 2023
If the cert is on the server that means your vip can not decrypt the traffic and it will not be able to read/see the cookie. To be able to use this persistence type your vip will need to have a cert and terminate the ssl session.
Poseidon1974
Cirrostratus
Jan 03, 2023
HI,
Thanks for you reply , I also had this doubt, but I wanted to have confirmation , so in addition to the certificate configured on the server, I must also install another one on the F5, or will a single certificate on the VIP F5 suffice?
Regards,
mihaic
MVP
Jan 03, 2023
Usually, it is enough to have 1 cert on the VIP. This way the traffic between the client and the VIP is secured.
But if you want you can have a cert on the server. This way also the traffic between the F5 device and the server is secured. There are scenarios where this is needed. There are security teams that ask that all traffic is secured (encrypted.)
- Poseidon1974
  Cirrostratus
  Jan 03, 2023
  Really thanks !
Poseidon1974
Cirrostratus
Jan 04, 2023
Hi ,
Thanks for your reply , just to confirm , in this kind of configuration , which profile we should configure :
http_XFF
or
http_XFF_HSTS
Thanks,
- PSFletchTheTek
  MVP
  Jan 06, 2023
  Hi,
  
  Just for a little clarity if it helps, if you want to add the xff header to your http header.
  Then this is set in the http profile.
  its just a tick box you need to enable, either in the base profile but even better would be to make a new on with the base http profile as the parent and then add the xff header to that.
  
  Also you meantion certificates on the back end.
  So, you can have the cert from the server also on your f5 at the front end dependant on your use case.
  But you can also have it encrypted on the front end "client ssl" and have no cert on the back end server.
  This would then make the flow from the f5 to the backend server unencrypted.
  Which is fine, but you may need to talk to your security or architectual teams just to make sure they are happy with that. It will all depend on your security/risk posture and the network design.
  - Poseidon1974
    Cirrostratus
    Jan 08, 2023
    Hi ,
    Thank you for this detailed answer, however my need is to know, how to make session persistence work, obviously as long as the certificate is on the server and not on the F5, it will not work. because the traffic will not be decrypted by the F5. you tell me, i can export the certificate currently configured on the server to the F5? how ?
    Thanks,
mihaic
MVP
Jan 04, 2023
Any HTTP profile should be ok
Poseidon1974
Cirrostratus
Jan 05, 2023
Thanks !!

Forum Discussion

Persistence session

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

source address persistence maximum session timeout

ASP Session ID Persistence

Weblogic JSessionID Persistence for Session Replication

Sessions and Cookies and Persistence, oh my!

Setting up persistence in F5 XC

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS