Forum Discussion

tom_phelan_3458's avatar
tom_phelan_3458
Icon for Nimbostratus rankNimbostratus
Jan 23, 2018

SSL offload and HTTPs persistence

Hi, Currently i have HTTP clients accessing two Servers in a pool behind an F5. I need persistence towards the two Servers and im using a Persistence Profile with HTTP iRule . Now the customer wants to use HTTPS Clients towards the two Servers which will have HTTPS ports configured. As i want to keep persistence towards the two Servers i understand from reading other posts here that i need to offload SSL in F5 so decrypt, run HTTP Persistence iRule and then encrypt again. Am i correct in that thinking? Im wondering about the way to implement this on F5. Both Servers will have the same SSL cert/key. To make this work do i create a VS with type "standard" and then create a Client and Server SSL Profile using the SSL cert/key from the Servers?

 

As regards the iRule, do i need to modify the rule below replacing HTTP with HTTPS or leave it as is?

 

  • This is the HTTP persistence rule im currently using:

     

    when HTTP_RESPONSE { persist add uie $clientip } when HTTP_REQUEST { set clientip "" if { [HTTP::header exists "X-Forwarded-For"] } { set clientip [HTTP::header "X-Forwarded-For"] } else { set clientip [IP::client_addr] } persist uie $clientip }

     

  • You're heading in the right direction. Same iRule would work for http & https vips. Client side & server side SSL cert/key and profile settings may be different. You don't need to use the same SSL cert/key.