Forum Discussion

xMadi's avatar
xMadi
Icon for Nimbostratus rankNimbostratus
Feb 09, 2018

SSL interception on F5

Hello,

 

I am planning to intercept SSL on F5 to certain web servers to apply some iRules based on HTTP Headers. Currently I have Virtual server for HTTPS for those web servers. If I understand this correctly I need to import the same Certificate from web-servers and use it in the client-ssl profile But what about server-ssl profile ? I dont need to import any certificate right ? I just need to adjust settings in the Server Authentication piece to require certificate from servers, the "authentication name" and the "trusted CA" - or create a bundle for the CA I need and that should be all, correct ? Or am I missing something ? Thanks

 

application delivery
LTM
  • MvdG's avatar
    MvdG
    Icon for Cirrus rankCirrus
    Feb 09, 2018

    xMadi,

     

    You are correct. You need to upload a valid certificate and use it in the client-ssl profile. If you do not care about the internal certificate, you can use the serverssl-insecure-compatible profile.

     

    Instead of an iRule, maybe you can you a policy for the HTTP header based operations.

     

    Regards, Martijn.

     

    • xMadi's avatar
      xMadi
      Icon for Nimbostratus rankNimbostratus
      Feb 09, 2018

      Thanks. Well I will want to loadbalance on single Virtual server to different pools based on the HTTP Header field. Not sure if the HTTP Header based operations are suited for this.

       

      Marek

       

    • MvdG's avatar
      MvdG
      Icon for Cirrus rankCirrus
      Feb 09, 2018

      Marek,

       

      You should take a look at a LTM policy (Local Traffic -> Policies).

       

      You can create rule within a LTM policy that forwards traffic to a pool based on HTTP header. Off course you can do the same with an iRule, but if you can do it in the GUI, you should do it there.

       

      Good luck.

       

      Martijn.

       

  • Martijn_144688's avatar
    Martijn_144688
    Icon for Cirrostratus rankCirrostratus
    Feb 09, 2018

    xMadi,

     

    You are correct. You need to upload a valid certificate and use it in the client-ssl profile. If you do not care about the internal certificate, you can use the serverssl-insecure-compatible profile.

     

    Instead of an iRule, maybe you can you a policy for the HTTP header based operations.

     

    Regards, Martijn.

     

    • xMadi's avatar
      xMadi
      Icon for Nimbostratus rankNimbostratus
      Feb 09, 2018

      Thanks. Well I will want to loadbalance on single Virtual server to different pools based on the HTTP Header field. Not sure if the HTTP Header based operations are suited for this.

       

      Marek

       

    • Martijn_144688's avatar
      Martijn_144688
      Icon for Cirrostratus rankCirrostratus
      Feb 09, 2018

      Marek,

       

      You should take a look at a LTM policy (Local Traffic -> Policies).

       

      You can create rule within a LTM policy that forwards traffic to a pool based on HTTP header. Off course you can do the same with an iRule, but if you can do it in the GUI, you should do it there.

       

      Good luck.

       

      Martijn.