Forum Discussion

Nimbostratus

Sep 14, 2009

ssl - profile

Here is what i want to do : We have SNAT pool configured on our big ip so i use "X-forward-for" http header to log actaul client ip in web server. Now i want to do it for HTTPS. ...

management

monitoring

hoolio

Cirrostratus

Sep 15, 2009

Hi Singh,

If you want to decrypt the client to VIP SSL, you would import the cert/key and create a client SSL profile. If you want to re-encrypt the SSL on the server side, you would use a server SSL profile. You would only need to import a cert/key for the server SSL profile if the server(s) require a client cert for SSL handshakes.

Once you add a client SSL profile, LTM will decrypt all SSL. Nothing at the HTTP layer is changed after the SSL decryption is done. LTM does not act as an HTTP proxy to tunnel SSL with the CONNECT method.

Once you add a client SSL profile to the VIP, you can also add an HTTP profile. You can enable the XFF option on the HTTP profile to have LTM insert the original client IP address in the XFF header.

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

ssl - profile

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

JSON Web Key Set Endpoint

Related Content

SSL Profiles Part 6: SSL Renegotiation

SSL Profiles Part 5: SSL Options

SSL Profiles Part 8: Client Authentication

SSL Profiles Part 7: Server Name Indication

SSL Profiles Part 1: Handshakes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS