Forum Discussion
eszer_28053
Nimbostratus
NimbostratusThrottle https virtual server requests, with non terminated ssl connections
This is what I'd like to implement:
---- https request ---- \ F5 ----- https request --- \ Web server
---- client certificate - / irule https Throttle ---- client certificate - /
I'm trying to use http throttle v10 and above: https://devcentral.f5.com/wiki/iRules.HTTP-Request-Throttle-version-10-1-and-above.ashx
Without ssl-termination, https virtual server doesn't work when applying an http profile.
This is the http-profile I'm using:
ltm profile http /Partition1/profile_HTTP {
app-service none
defaults-from /Common/http
}
Is it possible to throttle https request through irule https with non f5 ssl termination?
Is it possible to configure a http profile for a https virtual server?
John_Matlock_42Eszer,
Your diagram shows client certificate on both sites, I assume you're going to have an SSL profile on the F5 and bridge SSL? You have to, at a minimum, have a server SSL profile on the HTTPS VIP in order to use the HTTP_REQUEST event in your iRule.
Is it possible to throttle https request through irule https with non f5 ssl termination?
SSL has to be terminated on the F5 for you to be able to use the HTTP events in an iRule. You can, however, configure both a server and client side profile to keep the over-the-wire traffic encrypted.
Is it possible to configure a http profile for a https virtual server?
Yes
John
eszer_28053
Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.
Too slow in f5 ltm 1600...- John_Matlock_42Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.
Eszer,
Sorry to hear that. If there is a security requirement to keep the traffic encrypted inside your network I'm afraid that I can't think of a way to do what you're looking for unless it is built into the application layer. The F5 has to have the traffic decrypted in order for it to inspect layer 4+.
Best of luck,
John - eszer_28053thanks anyway, we'll have to make big changes on application layer
- Chris_Miller
Altostratus
Posted By eszer on 04/27/2012 01:55 AM
Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.
Too slow in f5 ltm 1600...
Can you provide more details on this? I've done this in multiple environments and haven't see any added latency or performance degradation. In reality, the ability to use a 2048-bit key on the client side while using a 1024-bit key on the server side should improve performance. Having the decryption done on commodity CPUs should never perform better. - Double check your key sizes and make sure that you're not using 4096-bit keys. Only 512, 1024, and 2048-bit are handled by the Cavium chip. 4096-bit keys are selectable from the Web UI, but will not be offloaded and will instead be handled by the x86 processor. This can cause performance degradation under load. This article indicates that keys larger than 4096-bit will use software encryption : SOL10580: Change in Behavior: Maximum supported key size for BIG-IP Client SSL and Server SSL profiles.
-George
