Forum Discussion

eszer_28053's avatar
eszer_28053
Icon for Nimbostratus rankNimbostratus
Apr 26, 2012

Throttle https virtual server requests, with non terminated ssl connections

 

This is what I'd like to implement:

 

 

---- https request ---- \ F5 ----- https request --- \ Web server

 

---- client certificate - / irule https Throttle ---- client certificate - /

 

 

 

I'm trying to use http throttle v10 and above: https://devcentral.f5.com/wiki/iRules.HTTP-Request-Throttle-version-10-1-and-above.ashx

 

 

Without ssl-termination, https virtual server doesn't work when applying an http profile.

 

 

This is the http-profile I'm using:

 

 

 

ltm profile http /Partition1/profile_HTTP {

 

app-service none

 

defaults-from /Common/http

 

}

 

 

 

 

Is it possible to throttle https request through irule https with non f5 ssl termination?

 

 

Is it possible to configure a http profile for a https virtual server?

 

  • Eszer,

     

     

    Your diagram shows client certificate on both sites, I assume you're going to have an SSL profile on the F5 and bridge SSL? You have to, at a minimum, have a server SSL profile on the HTTPS VIP in order to use the HTTP_REQUEST event in your iRule.

     

     

    Is it possible to throttle https request through irule https with non f5 ssl termination?

     

    SSL has to be terminated on the F5 for you to be able to use the HTTP events in an iRule. You can, however, configure both a server and client side profile to keep the over-the-wire traffic encrypted.

     

    Is it possible to configure a http profile for a https virtual server?

     

    Yes

     

     

    John
  •  

    Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.

     

     

    Too slow in f5 ltm 1600...
  • Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.

     

     

     

    Eszer,

     

     

    Sorry to hear that. If there is a security requirement to keep the traffic encrypted inside your network I'm afraid that I can't think of a way to do what you're looking for unless it is built into the application layer. The F5 has to have the traffic decrypted in order for it to inspect layer 4+.

     

     

    Best of luck,

     

    John
  • Posted By eszer on 04/27/2012 01:55 AM

     

     

    Thanks John, but we already tried terminating ssl connections in f5 and re-encrypt traffic, performance rate is unacceptable.

     

     

    Too slow in f5 ltm 1600...

     

    Can you provide more details on this? I've done this in multiple environments and haven't see any added latency or performance degradation. In reality, the ability to use a 2048-bit key on the client side while using a 1024-bit key on the server side should improve performance. Having the decryption done on commodity CPUs should never perform better.
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Double check your key sizes and make sure that you're not using 4096-bit keys. Only 512, 1024, and 2048-bit are handled by the Cavium chip. 4096-bit keys are selectable from the Web UI, but will not be offloaded and will instead be handled by the x86 processor. This can cause performance degradation under load. This article indicates that keys larger than 4096-bit will use software encryption : SOL10580: Change in Behavior: Maximum supported key size for BIG-IP Client SSL and Server SSL profiles.

     

     

    -George