Forum Discussion

akvzau's avatar
akvzau
Icon for Nimbostratus rankNimbostratus
Oct 30, 2023

SSLO http proxy base on category

Currently, we have a requirement to integrate SSLO for user proxy traffic, Current proxy policy is authenticated and filters based on user group. Certain categories are required to bypass SSL inte...
security
akvzau's avatar
akvzau
Icon for Nimbostratus rankNimbostratus

Greatly appreciate your response.  Seems the problem here is if traffic not decrypted then traffic will not be forwarded to service chains.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 01, 2023

When you have no decryption you need to use layer 2 or layer 3 service and then you can send not decrypted traffic as for http service the SSLO adds a header to track the flow and it can't if it is not decrypting the traffic..

 

See:

3.3. Creating an Inline HTTP Service (f5.com)

This is the most important distinction between HTTP (proxy) and L3 devices. An L3 device will simply route traffic across its interfaces without manipulating the packet headers. A proxy device, by definition, alters the packets headers. SSL Orchestrator uses the ephemeral packet tuple information to track packets across inline L2 and L3 devices. But as an HTTP proxy device manipulates this information, SSL Orchestrator uses an HTTP header signal across an HTTP proxy device. This signaling mechanism limits an inline HTTP proxy device to unencrypted HTTP traffic.