Forum Discussion
SSL Offload with HTTP/2.0
- Jan 30, 2024
The following article does give instructions to use the clientssl-secure profile:
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.htmlHowever, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).
Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2
Configuring HTTP/2 Client-Side (SSL Offload)
# Create HTTP/2 profile create ltm profile http2 HTTP2 defaults-from http2 # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled) create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 } # Create child client-ssl profile (inherit from parent client-ssl profile) create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } } # Create pool create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR> # Create HTTP/2 virtual server create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME>
Under the virtual server you should have a setting labeled "SSL Profile (Client)" which is where you would associate your SSL cert and key of choice to the virtual server in question. Please keep in mind that if you use the "clientssl-secure" it will use an F5 self-signed SSL certificate so end users will receive an error on their side about either the name not matching or that you are using an SSL certificate that isn't from a trusted certificate authority.
- HuwJan 30, 2024Altostratus
Thanks Paulius - that makes sense, but why does all the documentation refer to clientssl-secure? I can't think of an situation where that would be useful.
Also - do I need to do anything differently on the client SSL profile than I would have done using HTTP/1.1?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com