Forum Discussion

TMH's avatar
TMH
Icon for Nimbostratus rankNimbostratus
Mar 10, 2023

SSL offloading with port 8443

Hallo,  I need help to configure SSL offloading with port 8443 , i have configured a VS https with port 8443 and pool members that listen to port 8443 , i want to configure SSL certificate but no lu...
application delivery
security
wlopez's avatar
wlopez
Icon for Cirrocumulus rankCirrocumulus

Based on the configuration on your last post, you have:

A virtual server receving traffic on port 8443

A client ssl profile to encrypt traffic towards the clients

No server ssl profile to consume encryption from the backend platform on the pool

Is the platform on backend pool members encypted? If so, you'll need to add a server ssl profile to the virtual server.

In terms of the client ssl profile, you need to configure the specific ssl certificate with it's private key and Chain certificate (Issuer intermediate certificate with which the primary certificate was signed with).

Hope that helps.

TMH's avatar
TMH
Icon for Nimbostratus rankNimbostratus
Mar 10, 2023

The backend pool member also using port 8443, so when i tried to add server ssl profile the url shows "can't reach this page ", now with backend servers work with port 8443 should i have server ssl profile or I shouldn't ? 

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Mar 10, 2023

    TMH If your pool members are expecting to receive HTTPS traffic on 8443 then you would absolutely need a SSL Profile (Server) configure on the virtual server. It is possible to have the server configured to received decrypted traffic on 8443 but you would have to verify. An easy way to validate if the server is expecting HTTPS traffic is to perform a curl from the F5 directed at the server's IP on 8443. The command should very similar to the following with the appropriate informaiton filled in.

     

    curl -Ivk "https://<server_IP>:8443/"

     

    If you know the host field that the server is listening for you can do the following instead.

     

    curl -IvkH 'Host: <website_host>' "https://<server_IP>:8443/"

     

    After running either of the se commands you should see the SSL certificate in the output if the server is expecting HTTPS communication on this port.

  • wlopez's avatar
    wlopez
    Icon for Cirrocumulus rankCirrocumulus
    Mar 10, 2023

    As Paulius commented, you need to figure out if your pool members are expecting encrypted traffic.

    You can validate it via ssh with some curl commands from the F5 (curl -Ivvvk https://<PoolMember_IP>:8443), or by adding tcp, http and https health monitors to the pool and then view which ones pass or fail.

    If the servers on the pool are setup to encrypt traffic on port 8443, you definitely need to add a server ssl profile to the virtual server.

    If application traffic is http based at the application layer, you can also add an http profile to the virtual server and monitor the http request statistics for the pool. If the ssl handshake between the F5 (acting as client towards the pool members ssl encryption) and the pool members are working correctly, you should see the http requests stats on the pool increment with every hit to the virtual server.