Forum Discussion

chic_cat_324145's avatar
chic_cat_324145
Icon for Altocumulus rankAltocumulus
Sep 18, 2018

SSL Proxy

Hello, I have multiple puppet masters behind f5 and would like to offload ssl on F5 and encrypt it again and pass to backend server. I created: a) client ssl profile (uploaded cert + private key from...
application delivery
devops
LTM
  • chic_cat_324145's avatar
    chic_cat_324145
    Sep 20, 2018

    This helped. Thanks everyone, I finally made it work!

     

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 18, 2018

Okay, two things.

  • Why do you have SSL Forward Proxy enabled? You definitely shouldn’t need this. SSLFWD is used when the F5 is a forward proxy (for outbound traffic) and you need to re-issue (forge) remote server certs. I think you’re just dealing with a reverse proxy here, so you just need the server cert and key in the client SSL profile, and probably just the generic serverssl profile.

  • You don’t need to specify a key in the ssldump. That’d be if you were trying to decrypt the traffic, and would also only work with non-PFS (RSA key exchange) ciphers. You just need a very simple ssldump command like this:

    ssldump -AdNn -i [vlan name] port 443 [and any additional display filters]