Forum Discussion
NimbostratusSSLO http proxy base on category
MVPakvzau Sadly I'm not familiar with this process but it should be possible to have an HTTP proxy without performing SSL termination because we currently use one with just the LTM without SSLO and it works for both HTTP and HTTPS traffic. Essentially what happens in this case is you have an HTTP tunnel between yourself and the LTM proxy which you then tunnel HTTPS traffic over and the LTM hands off the SSL negotiation directly to the destination. The following might be of some assistance.
akvzauGreatly appreciate your response. Seems the problem here is if traffic not decrypted then traffic will not be forwarded to service chains.
- Nikoolayy1
When you have no decryption you need to use layer 2 or layer 3 service and then you can send not decrypted traffic as for http service the SSLO adds a header to track the flow and it can't if it is not decrypting the traffic..
See:
3.3. Creating an Inline HTTP Service (f5.com)
This is the most important distinction between HTTP (proxy) and L3 devices. An L3 device will simply route traffic across its interfaces without manipulating the packet headers. A proxy device, by definition, alters the packets headers. SSL Orchestrator uses the ephemeral packet tuple information to track packets across inline L2 and L3 devices. But as an HTTP proxy device manipulates this information, SSL Orchestrator uses an HTTP header signal across an HTTP proxy device. This signaling mechanism limits an inline HTTP proxy device to unencrypted HTTP traffic.
