Forum Discussion
NimbostratusSSL make login slow
EmployeeI think perhaps there are two issues here.
-
You apparently have an HTTP VIP that does nothing more than redirect requests to an HTTPS VIP. This is fine, but then consider what happens if every document reference in the returned HTML is for an http:// URL. For every object, the client has to make TWO requests. The best way to tell if this is actually happening is to perform a client side capture with a tool like Fiddler or HTTPWatch. If the client is indeed making two requests for many objects, then it's probably also a good idea to implement a STREAM rewrite iRule to replace all of those http:// references with https://. That way the client will talk directly to the HTTPS VIP. The STREAM::expression wiki page actually has a really good example of how to do that.
-
There are also two separate SSL sessions here, at the VIP and at the web server. This too is fine, but consider the implications of first decrypting the traffic at the F5 and then re-encrypting to the server. You'll certainly get better performance in the client side SSL, but it'll be a wash on the server side. One of the F5's greatest strengths is its ability to process/offload SSL traffic really quickly, so it may be worth considering NOT re-encrypting to the web server. In lieu of that, you shouldn't need to put the server certs on the web server unless you have some (non-standard) reason to do so. Cryptography is CPU intensive, so you can expect it to be slower than without it.
