For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mubasher_Sultan's avatar
Mubasher_Sultan
Icon for Nimbostratus rankNimbostratus
May 13, 2013

SSL-Ofloading on Port 8081 !!!

 

Hi,

 

I have a requirement of doing an client ssl offload on the BIG-IP.

 

Currently, the VIP is 10.10.10.10 and the below is working fine

 

http://10.10.10.10:8081/sm/index.do

 

We need to change it into https://

 

For eg: a user will enter in the browser https://10.10.10.10 and it should work. (big-ip will offload it and should redirect it to http://10.10.10.10:8081/sm/index.do on the backend towards the server side)

 

How to achieve this? or what is the right way to get it done?

 

Hope this explains you the issue.

 

Thanks,

 

Regards,

 

Mubasher Sultan

 

config
design

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 13, 2013
    You just need a client SSL profile attached to the virtual server. It would appear, since users will just type https://10.10.10.10 into the browser, that the virtual server will be listening on port 443 (the default port for HTTPS). You then just need a pool with your port 8081 members added. Make sure port and address translation are enabled, and you should be good to go. The client SSL profile will terminate the SSL and pass the unencrypted payload to the port 8081 servers.

     

     

    As for the URI redirect, you have a few options:

     

     

    1. Let the server do it.

     

     

    2. physically redirect the user (via 302 message) with an iRule (this will change the address in the browser:

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] equals "/" } {

     

    HTTP::redirect "/sm/index.do"

     

    }

     

    }

     

     

    3. If you don't want the user to see the URI, silently change it with the HTTP::uri command:

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] equals "/" } {

     

    HTTP::uri "/sm/index.do"

     

    }

     

    }
  • Mubasher_Sultan's avatar
    Mubasher_Sultan
    Icon for Nimbostratus rankNimbostratus
    May 13, 2013

    Hi Kevin,

     

     

    Backend servers are listening to port 8081. With the redirection used in option 2, I can only redirect from https://10.10.10.10 to https://10.10.10.10/sm.index.do

     

    the redirection works but it is unable to fetch the information from the servers which are listening to port 8081.

     

     

     

    Thanks,

     

    Regards,

     

    Mubasher Sultan

     

  • Mubasher_Sultan's avatar
    Mubasher_Sultan
    Icon for Nimbostratus rankNimbostratus
    May 13, 2013

    Correction in the earlier post. It redirects from https://10.10.10.10 to https://10.10.10.10/sm/index.do

     

    SSL offload is success but further the application does not gets loaded as it is listening to port 8081.

     

     

    Regards,

     

    Mubasher Sultan

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2013
    Seems to be a bit of confusion in here. There shouldn't be any redirection.

     

     

    The BigIP acts as a proxy. You connect to https://vipaddr/ and it goes & gets the content from the backend server on whatever ip & port it's working on, then sends the results to the client. No redirects necessary, unless the SERVER redirects to itself (e.g. redirects / to /index.html) in which case the redirect often needs re-writing to use the client facing URL instead of the URL directly addressing the server.

     

     

    H