SSL Offload with HTTP/2.0
I need to configure SSL Offload with HTTP/2.0.
All the guidance I've read says we need to choose clientssl-secure as the client-ssl profile - but how does that work when you're terminating the TLS session? How do we configure a certificate on the client-side?
The following article does give instructions to use the clientssl-secure profile:
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.htmlHowever, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).
Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2
Configuring HTTP/2 Client-Side (SSL Offload)
# Create HTTP/2 profile create ltm profile http2 HTTP2 defaults-from http2 # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled) create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 } # Create child client-ssl profile (inherit from parent client-ssl profile) create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } } # Create pool create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR> # Create HTTP/2 virtual server create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME>