Forum Discussion
SSL off-loading and secure WebSocket
Hi,
We have a Big-IP load balancer, and we are planning to publish a web application that uses secure WebSockets (WSS).
We are a little bit concerned about how the load balancer is going to handle this situation, because the SSL offloading. Is there anything special we have to configure or taken care off?
Clients will send an HTTPS request with a WebSocket handshake, that includes the HTTP headers "Upgrade:websocket" and "Connection:Upgrade". Will the load balancer populate those headers to the web server? Will the load balancer understand that those connections are persistent and non-HTTP?
Thanks.
- nitassEmployee
it is supported in 11.4.0 or later.
prior 11.4.0, you can use tcp virtual server with clientssl/serverssl profile or http virtual server with clientssl/serverssl profile and irule to disable http profile for websocket traffic.
sol14754: BIG-IP support for the WebSocket protocol
- vtortola_141944NimbostratusThat link does not say anything about WSS and SSL off-loading.
- nitass_89166Noctilucent
it is supported in 11.4.0 or later.
prior 11.4.0, you can use tcp virtual server with clientssl/serverssl profile or http virtual server with clientssl/serverssl profile and irule to disable http profile for websocket traffic.
sol14754: BIG-IP support for the WebSocket protocol
- vtortola_141944NimbostratusThat link does not say anything about WSS and SSL off-loading.
- sachin_80710Nimbostratus
On askf5 we don't find any document that explain how to configure websocket on 11.4.0 n later
- nitassEmployee
i understand what it does is to disable http profile when detecting upgrade header (ssl profile is still applied).
- Kevin_StewartEmployee
If I may add, the point is that the F5 doesn't really understand the WSS protocol messages, so the HTTP profile would likely break it. If you don't use an HTTP profile and simply treat the traffic as TCP data, you can offload the SSL and optionally re-encrypt without touching the layer 7 data. It'd be like passing any other non-standard TCP-based protocol through the F5.
- D99Cirrus
I also have a similar requirement. Were you able to get a solution
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com