Forum Discussion
SSLO http proxy base on category
akvzau Sadly I'm not familiar with this process but it should be possible to have an HTTP proxy without performing SSL termination because we currently use one with just the LTM without SSLO and it works for both HTTP and HTTPS traffic. Essentially what happens in this case is you have an HTTP tunnel between yourself and the LTM proxy which you then tunnel HTTPS traffic over and the LTM hands off the SSL negotiation directly to the destination. The following might be of some assistance.
- akvzauOct 30, 2023Nimbostratus
Greatly appreciate your response. Seems the problem here is if traffic not decrypted then traffic will not be forwarded to service chains.
- Nikoolayy1Nov 01, 2023MVP
When you have no decryption you need to use layer 2 or layer 3 service and then you can send not decrypted traffic as for http service the SSLO adds a header to track the flow and it can't if it is not decrypting the traffic..
See:
3.3. Creating an Inline HTTP Service (f5.com)
This is the most important distinction between HTTP (proxy) and L3 devices. An L3 device will simply route traffic across its interfaces without manipulating the packet headers. A proxy device, by definition, alters the packets headers. SSL Orchestrator uses the ephemeral packet tuple information to track packets across inline L2 and L3 devices. But as an HTTP proxy device manipulates this information, SSL Orchestrator uses an HTTP header signal across an HTTP proxy device. This signaling mechanism limits an inline HTTP proxy device to unencrypted HTTP traffic.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com