Forum Discussion
KMA_50449
Nimbostratus
NimbostratusReverse proxy SSL with LTM : https with bigip, then http
Hi,
We have LTM with ssl accelerator card, so time to use them !
What I try to do seems easy :
Request :
Client -> https -> Bigip with sslclient profile -> http -> webserver
Answser :
webserver -> http ->Bigip with sslclient profile -> https -> client
I want that my LTM handle all the ssl requests, decode them and sent in clear text http requests to the web server.
To do that I've upload my own certificate and key and create a sslclient profile with these cert/key.
Then I've created a pool with IP of my web server and port 80 (for http, don't want my web server encrypt or decrypt anything).
Last I've created the Virtual Server, listening on port 443 with my sslclient profile as SSL Profile (Client) option, Protocol Profile (client) is TCP.
No SSL profile server needed, and all other option of the VS are to none of not checked.
I choose my previous pool in the resources tab with source_addr for persistence profile.
Then I try to access to my website trough the VS ip, I have to certificate send by the Bigip and then ... nothing : "The network link was interrupted while negotiating a connection. Please try again." in my firefox browser
I try to tcpdump request, and none of them arrived to my web server from the bigip when I try to load the page, while the http health monitor works fine...
I've read many docs, all the forum, wiki ... and do not find where I failed
Sur I miss something, if someone could help me ?
17 Replies
hoolioCirrostratus
Hello Kevin,
If the error in the browser is immediate, I'd guess the client SSL profile ciphers are incompatible with the ones the browser is trying to use. If the error takes a while, I'd guess the default gateway on the web server isn't set to LTM's floating self IP on the server VLAN. The latter can be fixed by either changing the default gateway on the server or enabling SNAT automap on the VIP. Another possibility is address translation is disabled on the VIP.
Aaron
KMA_50449Dears,
First thanks for your quick answer.
The webserver is a linux, with 3 IP on the same VLAN, same subnet.
The first 2 IP's are used in npath routing, so they are mount directly on the loopback interface, so that the default gw is one of our router.
It works for months very fine with the LTM
The third IP is on it's own interface, dedicated for SSL, and I've tried to setup the route on the webserver with ip route tools, but I never succeed, the packet from these 3rd interface never go trough the LTM
If someone knows howto do it, i'm very interested, because SNAT will consume a lot of ressource whereas setting default gw will not consume anything on the LTM.
I've tried to enable SNAT automap AND checked address translation, and it works. I miss those two options.
Thanks a lot Aaron
K.- hoolioGood to hear. I don't think there is any significant overhead in LTM performing source address translation. If you run a high traffic site, you might want to configure multiple addresses in a SNAT list for the VIP. In that case, it would take up IP's. But SNAT in and of itself shouldn't be expensive in terms of memory or CPU cycles.
Aaron - KMA_50449Hi,
Thanks for the explanation, I will test and check CPU and RAM, I will post some stats in few days, maybe it can interest other people
K. - KMA_50449Hi,
So after fw test I have a new problem, which I can't explain
I've created a clientssl profile specifing my key/cert and all other option are default. No client authentication
I've created a pool with 1 server and port 80, allow snat is yes, other is default (allow nat no)
I"ve created a vs listening on port 443, with protocol profile client to tcp,my clientssl profile, address translation checked and snat pool to automap.
So I try to reach my server, the good certificate is sent to my browser, and then error 400, the LTM decrypte the ssl and resend the request in http to port 443 of my server.
The one in my pool is only on port 80, and port translation in the vs in not checked.
On the server side I can see the request arriving on the port 443 ... not 80.
Don't find where I've made a mistake, if you have any idea - JRahm
Admin
If you want the tcp port on your request to switch from 443 to 80, you need port translation enabled. - KMA_50449Hi
In fact when I activated port translation, https is redirected to http ..., I mean if I type https://mysite I am redirected to http;//mysite/mypage. So I loose the SSL encryption, very strange behaviour. Do I miss something else ? - JRahmDo you have a rule associated to your ssl virtual, or is the web server issuing this redirect?
- KMA_50449I don't have any irules activated on this virtual ip.
I've created a virtual ip on the same ip but for port 80, so that I can see the redirection.
I comes from the bigip, without the bigip https works fine.
My conf is very easy ...
k. - KMA_50449Well, it seems the application made a kind of redirection, i f I access to a page directly in https I stay in https, I'm currently checking the source code of the webapp.
Thanks a lot for your help.
