Forum Discussion
Altocumulusprotect cloudfront service whit asm VE AWS
Hello, I am trying to protect a web application that is hosted in aws, but it turns out that before directing the traffic to the backend servers first for a cdn, (cloudfront), the F5 is in front of the coudfront, the traffic is seen entering the F5 However, when the traffic is sent to the backed (cloudfront) I see ssl proxy problems in the logs, when I remove the ssl profiles (client and server) the service works, I have checked that the profiles are well created, in the captures you see that there is a problem with the ssl negotiation with the backed (ckoudfront), if the cloudfront is consumed directly by https it works correctly
pcap
Simon_BlakelyEmployee
Well, it looks like the ServerHello from the Cloudfront server does not meet the server-ssl profile requirements, and the BigIP terminates the connection. You have to figure out what works, and make sure that the server-ssl profile matches.
Look at the incoming client-side ClientHello. The outgoing server-side ClientHello needs to match as closely as possible. Check for a Server-Name Indication extension on the server-side. Check the supported TLS protocols and ciphers.
Craft a specific server-ssl profile to ensure that as closely as possible, the ClientHello requests match.