Forum Discussion
cymru81
Altocumulus
AltocumulusSSL reverse proxy
Looking for some advice please. We'd like to reverse proxy an internal server via a public ip address.
public VIP has a public certificate issued via a well known CA (client ssl profile) and is listening on port 443, this passes to a pool containing our internal server also on port 443 but this site is using an internal self-signed cert that doesnt match the public cert.
LTM logs show the following when client on the internet tries to connect:
SSL Handshake failed for TCP 1.2.3.4:64681 -> 5.6.7.8:443
1.2.3.4:64681 -> 5.6.7.8:443: Connection error: ssl_hs_rxhello:10784: alert(70) unsupported version
Is there any config we can do to make this work?
oguzyCirrostratus
Hi cymru81,
As your internal server listens on port 443, have you assigned a server ssl profile like serverssl-insecure-compatible?
cymru81Hi oguzy, yes they are listening, i assigned the profile "serverssl" and still doesnt work as expected?
- oguzy
Hi cymru81,
You may check the following page: Error Message: 01260009:4: Connection error: <ssl_function>:<function_id>: <error_reason> (<reason_code>) (f5.com)
Do you have any other virtual server assigned the same client-ssl-profile? If so, do you see the similar error on that virtual server? Have you ever tried with another client (browser, mobil etc)?
I also suggest Qualys SSL Labs page for certificate status?
Have a nice day.
- cymru81
yes lots of others VS using same profile without issue. works fine in a browser and renders ok, wondering if the self signed and public cert is the cause of the issues?
- oguzy
Hi,
If you have assigned serverssl-insecure-compatible for the server ssl profile, self signed cert should not be an issue.