Forum Discussion
NimbostratusPlain HTTPS Server with no SSL termination
Dear Team, I need to create a HTTPS virtual server with no SSL offloading. (Certificate is installed directly on OBIE Server.).Pool member node listens to 9804 with certificate installed on it (HTTPS needs to be enabled with the URL: https://obie.xyz.ae:9804/analytics). I am able to access the physical IP of the obie server (10.10.41.19 which resolves to obie.xyz.ae). However I am unable to access the virtual IP configured on F5 in the same way. Please guide me the proper steps inorder to achieve the same (is here any SSL client or server profile required on Virtual Server ?) Also requirement is users need to access the same URL without mentioning the port: ie https://obie.xyz.ae (9804/analytics) not required.
Hoping the earliest response from you guys. Please do the needful.
Thanks, Vish
10 Replies
nitass_89166Noctilucent
However I am unable to access the virtual IP configured on F5 in the same way.
can you post the configuration?
tmsh list ltm virtual (name) tmsh list ltm pool (name)is here any SSL client or server profile required on Virtual Server ?
no
there is some information here. hope it is helpful.
sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors
https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015
Vishakh_Krishna(tmos.ltm) list virtual HQ-OBI-P-2-https-VS ltm virtual HQ-OBI-P-2-https-VS { description HQ-OBI-P-2 destination 10.10.47.120:https ip-protocol tcp mask 255.255.255.255 pool HQ-OBI-P-2-Pool profiles { HQ-OBI-P-2-https { context serverside } star.tdic.ae { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } ======================= ltm pool HQ-OBI-P-2-Pool { load-balancing-mode least-connections-member members { 10.10.41.19:9804 { address 10.10.41.19 session monitor-enabled state up } } monitor TCP-9804 } =========================== ltm monitor tcp TCP-9804 { defaults-from tcp destination *:* interval 5 time-until-up 0 timeout 16 } ================================
- nitass
Employee
However I am unable to access the virtual IP configured on F5 in the same way.
can you post the configuration?
tmsh list ltm virtual (name) tmsh list ltm pool (name)is here any SSL client or server profile required on Virtual Server ?
no
there is some information here. hope it is helpful.
sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors
https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015- Vishakh_Krishna(tmos.ltm) list virtual HQ-OBI-P-2-https-VS ltm virtual HQ-OBI-P-2-https-VS { description HQ-OBI-P-2 destination 10.10.47.120:https ip-protocol tcp mask 255.255.255.255 pool HQ-OBI-P-2-Pool profiles { HQ-OBI-P-2-https { context serverside } star.tdic.ae { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } ======================= ltm pool HQ-OBI-P-2-Pool { load-balancing-mode least-connections-member members { 10.10.41.19:9804 { address 10.10.41.19 session monitor-enabled state up } } monitor TCP-9804 } =========================== ltm monitor tcp TCP-9804 { defaults-from tcp destination *:* interval 5 time-until-up 0 timeout 16 } ================================
- nitass
can you try to remove HQ-OBI-P-2-https and star.tdic.ae profiles?
- Vishakh_Krishna
Removed both the SSL profiles on the virtual server. Still i am not able to access the server through virtual ip. 10.10.41.19 is the physical server and SSL certificate is installed on it. and the server listens on port 9804 using the URL https://10.10.41.19.xyz.ae:9804/analytics. But when i use the virtual ip https://10.10.47.120.xyz.ae:9804/analytics, It doesn't work which is one of the requirement. Second requirement is i need to rewrite the URL https://10.10.47.120.xyz.ae:9804/analytics to https://10.10.47.120. Please do the needful.
- nitass
But when i use the virtual ip https://10.10.47.120.xyz.ae:9804/analytics, It doesn't work which is one of the requirement.
you used the wrong url. it should be https://10.10.47.120/analytics
Second requirement is i need to rewrite the URL https://10.10.47.120.xyz.ae:9804/analytics to https://10.10.47.120.
without ssl offloading, you cannot rewrite uri.
- Vishakh_Krishna
You are right. When i tried using https://10.10.47.120/analytics, It works without any SSL profiles. Thanks a million for your support. However I have a query if i want to access the same URL https://10.10.47.120 without using /analytics, What are the configuration changes that needs to be done ?
Thanks, Vish
- nitassyou have to do ssl offloading (i.e. decrypt and re-encrypt traffic). then you can rewrite uri (i.e. add /analytics using HTTP::uri). HTTP::uri https://clouddocs.f5.com/api/irules/HTTP__uri.html
- Vishakh_KrishnaThanks a lot for your support.
