Forum Discussion
SSL Offload with HTTP/2.0
I need to configure SSL Offload with HTTP/2.0.
All the guidance I've read says we need to choose clientssl-secure as the client-ssl profile - but how does that work when you're terminating the TLS session? How do we configure a certificate on the client-side?
The following article does give instructions to use the clientssl-secure profile:
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.htmlHowever, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).
Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2
Configuring HTTP/2 Client-Side (SSL Offload)
# Create HTTP/2 profile create ltm profile http2 HTTP2 defaults-from http2 # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled) create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 } # Create child client-ssl profile (inherit from parent client-ssl profile) create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } } # Create pool create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR> # Create HTTP/2 virtual server create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME>
Under the virtual server you should have a setting labeled "SSL Profile (Client)" which is where you would associate your SSL cert and key of choice to the virtual server in question. Please keep in mind that if you use the "clientssl-secure" it will use an F5 self-signed SSL certificate so end users will receive an error on their side about either the name not matching or that you are using an SSL certificate that isn't from a trusted certificate authority.
- HuwAltostratus
Thanks Paulius - that makes sense, but why does all the documentation refer to clientssl-secure? I can't think of an situation where that would be useful.
Also - do I need to do anything differently on the client SSL profile than I would have done using HTTP/1.1?
Where have you read that you NEED to choose clientssl-secure? I quickly checked a few articles and don't see it.
- HuwAltostratus
Maybe I'm not as good at searching as I thought! Please pass on any links you think might be useful, and I'll resume my own search.
- HuwAltostratus
Here's the link I was using:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configuration-14-1-0/01.html#guid-b39ab2c5-5295-47ed-99ca-3527eb076b7e
"You do not need to create a Client SSL profile because a profile named clientssl-secure already exists on the system."
The following article does give instructions to use the clientssl-secure profile:
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.htmlHowever, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).
Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2
Configuring HTTP/2 Client-Side (SSL Offload)
# Create HTTP/2 profile create ltm profile http2 HTTP2 defaults-from http2 # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled) create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 } # Create child client-ssl profile (inherit from parent client-ssl profile) create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } } # Create pool create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR> # Create HTTP/2 virtual server create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME>
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com