Forum Discussion
SSL offloading with port 8443
Hi, this the output of the curl command
run /util bash -c 'curl -Ivk https://xx.xx.xx.xx:8443/'
* Trying xx.xx.xx.xx...
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=localhost
* start date: May 31 08:59:32 2017 GMT
* expire date: Aug 29 08:59:32 2017 GMT
* issuer: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> HEAD / HTTP/1.1
> Host: xx.xx.xx.xx:8443
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 404
HTTP/1.1 404
< vary: accept-encoding
vary: accept-encoding
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Content-Language: en
Content-Language: en
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Sun, 12 Mar 2023 03:44:34 GMT
Date: Sun, 12 Mar 2023 03:44:34 GMT
< Server: XXX
Server: XXX
<
*
- PauliusMar 12, 2023MVP
TMH Based on that server response your server is expecting the connection from the F5 to the server to be HTTPS so you will need to configure an SSL server profile on the virtual server (VS) as well. You should be able to use the default SSL server profile called "serverssl" and that should do what you want it to. If you wanted to perform additional restrictions you could create a custom SSL profile (Server) and adjust the settings but the default should get you to a good spot.
- wlopezMar 12, 2023Cirrocumulus
Agree with Paulius.
With that curl output you will definitely need to add a server ssl profile to your virtual server.
Since the pool member negotiated a secure TLS 1.2 cipher suite, you should be good to go with the default profile calles 'serverssl'.
Once you do add the server ssl profile, you should be able to monitor your pool;s statistics for traffic in and out, and the http request count (if you have an htp profile on the virtual server).
In case your pool members don't have a route back trough the BigIP for client addresses, you might need to activate SNAT Automap to your virtual server.
- PauliusMar 13, 2023MVP
TMH as wlopez you might have to enable SNAT. Now I don't agree to utilize SNAT automap and instead create a snatpool and in that snatpool add in the IP of the virtual server you are configuring and then use that snatpool for SNAT. The reason for this is sometimes if your virtual server has a significant amount of client connections you could exhaust the ports used for automap which would then cause issues with health checks and a few other things, but if you instead use a snatpool with the virtual server IP you could only cause issues with this single virtual server if the connections were high enough. If you connections are high enough you could add in multiple IPs to the snatpool to help with the port exhaustion issue.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com