Forum Discussion

Cirrus

Nov 28, 2022

SSL Full Proxy - SSL Re-Encryption performance degradation

Hi, We have traditionally been a shop that used SSL encryption to the F5 and decrypted text to webservers (https to F5 and http to webservers). We are being asked to encrypt the full route. We a...

application delivery

devops

security

Nikoolayy1
Dec 01, 2022
Hello LanceLyons , Kai_Wilke provided a full list what can cause you such issues and if this helped please mark his reply as a solution. Outside of that if you are using a hardware device maybe see if hardware ssl ciphers are used for better performance as mentioned in https://support.f5.com/csp/article/K75983426 / https://support.f5.com/csp/article/K50459385 / https://support.f5.com/csp/article/K13213 and the /var/log/ltm if you are hitting some license limit for example.

Mohamed_Ahmed_Kansoh

MVP

Nov 28, 2022

Hi LanceLyons ,
No issues from F5 perspective as ( irules , loadbalancing and persistence shouldn’t be impacted ) because F5 interested in decrypting traffic that coming from client-side to deal with http payload decrypted.

> when you configure server ssl or ssl bridging you re-encrypt traffic again and directs it web servers encrypted , F5 hasn’t issues in this scenario , you need only to check the server itself , if it affords the process of decryption again as you know in " ssl offloading " you let F5 to be the only hop which performs decryption and offloads servers to do this exhausting task.

> usually I performs " SSL bridging (configure client and server ssl profiles )" with our customers , and we have not faced any issues regarding server ssl to re-encrypt traffic again.

Regards

LanceLyons
Cirrus
Nov 28, 2022
Thanks Mohamed,

Have you all noticed any performance degradation to heavily used websites from an end user perspective with the decryption at f5 and reencrypt at f5?
- Mohamed_Ahmed_Kansoh
  MVP
  Nov 28, 2022
  LanceLyons ,
  No , I performs ssl bridging for high traffic virtual servers , these virtual servers serves public services over internet for ISPs and there is no issues regarding it server-ssl or re-encrypting traffic towards web-servers.
  
  > I always offer them not to do this to lighweight the headache on webservers.
  
  > to be sure , cofigure it and monitor your CPU periodically.
  
  Regards

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SSL Full Proxy - SSL Re-Encryption performance degradation

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

Understanding Performance Metrics and Network Traffic

Performance Logging iRule (Rule_http_log)

Intermediate iRules: Evaluating Performance

Enhance Performance and Increase Scalability with F5 BIG-IP on HPE GreenLake

Perform out-of-place upgrade of vCMP guests via Ansible

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS