Forum Discussion
NimbostratusProxy SSL?
Forgive my ignorance on this subject... Here is a high level of what is going on in our environment and what I want to happen.
We have a site www.ABC.com we want all traffic to come in as HTTP:80 when someone navigates to the www.ABC.com/secureHTTPSpage the application is written to look for SSL. If it is then it passes them on correctly to that URL.
Is this a configuration in F5 that we setup so that when the client hits that URL F5 passes a SSL cert to authenticate with the client? (Proxy SSL?) Or maybe an iRule?
Right now when the user goes to that URL it changes the URL to HTTPS:// but doesn't appear to be getting a cert from F5. If I go directly to the actual Web servers IP I get to the site just fine.
basically the whole site is http until a user goes to certain portions of the site. Then we want to serve them https authentication.
Current setup is Virtual Server IP: 192.168.1.10 Pool Member: 192.168.1.11 192.168.1.12
7 Replies
An easy way to fix this is a quick redirect iRule this way the LTM will send the redirect before it gets to the server.
when HTTP_REQUEST { if { [HTTP::uri] equals "/secureHTTPSpage" } { HTTP::redirect "https://[HTTP::host][HTTP::uri] } }
mwinstead_13706Thank you for responding so fast. I need to add to this... Currently the logic in the web application is directing the URL to https correctly. The problem is its not authenticating. We know the cert works that is on the Web server because if we go directly to the web server IP and navigate to that /SecureHTTPSpage URL we can get to the page. Its when we use the Virtual Server IP and go to the /SecureHTTPspage that we are given a 404.
- Kevin_Stewart
Employee
Based on Richard's iRule, you'll need two separate F5 VIPs: one listening on port 80 for HTTP traffic, and another on port 443 with a client SSL profile. Both pointing to the same pool. Is this your configuration?
- Kevin_Stewart
What I understand from your descriptions so far is that you have two VIPs. Most traffic passes through the port 80 VIP until a specific URL is requested. When that happens the user is redirected to the HTTPS VIP. When the user hits this VIP he should do an SSL negotiation with the VIP (and then some additional authentication?). Does that sound correct? If so, where is it failing?
- Kevin_Stewart
Do you have the redirect iRule on the HTTPS VIP? If so, remove it. The iRule should only be on the HTTP VIP.
- Kevin_Stewart
That very well could be the case. Try re-encrypting the traffic with a server SSL profile and set the pool to send to port 443.
The next step may be to look at the HTTP communication between the client and HTTPS VIP (HTTPWatch or Fiddler in the browser). You're looking for anything in the server's response that may send the client to another host or protocol not defined by the F5 VIP.
- Kevin_Stewart
Your web server appears to be listening on ports 80 and 443, so create a separate pool (for testing) and add the web server IP and port 443. Change the VIP's pool to this pool and assign a generic server SSL profile. What we're attempting to do is to send SSL to the web server. This will help to establish if it's a protocol issue at the web server.
