Forum Discussion
BJ_114988
Nimbostratus
Nimbostratuswhy do we attached http profile to SSL vip?
why do we attached http profile to vip on port 443?
My understanding that it is required for LB to understand web traffic after LB decrypt it..
Let me know your views..
Also..if there is redirect configured as below on vips : -
vip port80 (redirect to 443vip)----443 vip
if we remove ssl cert from 443 vip do we need to remove http profile from 443 vip?
HTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.
- you understand is correct, if you only want to use simple load balance without info from http payload, http profile is not necessary. regarding the redirect, do those vs process https traffic? if you remove ssl profile, http profile should be removed
BJ_114988How to identify if traffic has http payload? is there any simple way other than wireshark capture. regarding the redirect - yes they process https traffic..if we dont remove it , what will be impact and why it needs to be removed....lot of confusion here....
Hannes_RappHTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.
- BJ_114988Thank you so much for answer..Finally understood why to use http profile..:) We are enabling cookie persistence on http vip with http profile... now it should work!! and just in case if user want to enable cookie persistence on ssl terminated VIP that is on vip with port 443.....do we still need to enable http profile on vip or will work with default tcp profile?
Vijay_ECirrus
You would need HTTP profile for HTTP Cookie Persistence.- BJ_114988Thanks all for your answers!! really helped!! cherrs!
- Hannes_Rapp_162
Nacreous
HTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.
- BJ_114988Thank you so much for answer..Finally understood why to use http profile..:) We are enabling cookie persistence on http vip with http profile... now it should work!! and just in case if user want to enable cookie persistence on ssl terminated VIP that is on vip with port 443.....do we still need to enable http profile on vip or will work with default tcp profile?
- Vijay_EYou would need HTTP profile for HTTP Cookie Persistence.
- BJ_114988Thanks all for your answers!! really helped!! cherrs!
