SSL offload headers for ASM

Question

Hi,&nbsp;&nbsp;Is there a way for an ASM box sitting behind an LTM box to know that SSL has been terminated on LTM? We add in similar headers for Weblogic which is behind ASM, but found that the allowed URLs on our ASM policies need to be defined as HTTP instead of HTTPS when it comes to ASM. As we have test environments where the LTM and ASM cohabit a single device, and therefore DO see HTTPS URLs this brings in a frustrating inconsistency when it comes to ASM policy.&nbsp;&nbsp;&nbsp;Thanks&nbsp;&nbsp;&nbsp;Chris&nbsp;

jwham20 · Answer

Chris, 
&nbsp;  
&nbsp; Hmm, so the ASM of course needs the traffic to be decrypted before it can really do much for it (hence the asm policies being for http).   
&nbsp;  
&nbsp; In a single unit, dual module configuration,  typically you just see an LTM virtual with a ssl profile on it, and an ASM enabled HTTP class attached to it.  This allows the LTM to do the ssl decrypt and the ASM module to do it's dark magic. You can even throw on a server side SSL profile if you want to re-encrypt.  
&nbsp;  
&nbsp; In the dual box environment, question: 
&nbsp;  
&nbsp; are you re-encrypting between the LTM unit and ASM unit?  If so, then you should just be able to decrypt on the ASM unit Virtual server profile, and let the ASM do it's thing.  
&nbsp;  
&nbsp; Sorry for the scattergun answer, I may have misread the question (and there is probably about 10,000 different right answers. 
&nbsp;  
&nbsp; Josh M

hooleylist · Answer

I assume they're not using HTTPS between the LTM and ASM.  If that's true, you can force ASM to globally interpret all requests as HTTP using an internal parameter: &nbsp;
&nbsp; 10.2.x - Manual Chapter: Internal Parameters for Advanced Configuration 
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_apx_internal_params.html &nbsp;
&nbsp; ProtocolIndication - Specifies how the system distinguishes between HTTP and HTTPS URLs. If the value is -1, the system decides whether the object requested is an HTTP request or an HTTPS request based on the incoming traffic. If the value is 0, the system treats all incoming URL requests as HTTP requests. If the value is 1, the system treats all incoming URL requests as HTTPS requests. &nbsp;
&nbsp; Aaron

chris_phillips · Answer

Ahh, so there's no header we could insert on the LTM's? Strange, I thought there would've been one. Given that we are ASMing some normal HTTP traffic as well as HTTPS, forcing a presumption on ASM doesn't seem appropriate, especiaily as we might be wanting to enable the internal parameters for secure cookies, as then we'd be setting secure on a non-secure cookie which sounds like a bad place to be! 
&nbsp;  
&nbsp; Thanks guys, as always!

Forum Discussion

SSL offload headers for ASM

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

TMSH Command to list ASM policies not attached to any virtual servers in all partitions

dynamic signature detection

DNS HM Probe issue

Related Content

SSL Offloading for specific IPs or range of IPs

F5 Synthesis: Hybrid SSL Offload

AMQPs SSL offloading

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

C3D and header insert

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS