Forum Discussion
NimbostratusWithout SSL profiles user is not able to access website
Hello guys,
would you be so kind and help me with problem related to SSL profiles?
It is strange, but without SSL profile user is not able to reach web site (virtual server) where is pool with one real server on which is loaded certificate.
But when I load the same certificate on F5 and add it to SSL profile (client), user is able to reach the VS and sees correct certification which was imported on F5.
I do not see any connection between SSL profiles and connection to servers. User is getting 404. Not found.
Thank you in advance. If you need some config, let me know.
Andrew-F5Employee
Did you remove any and all application layer profiles from the virtual server such as HTTP profiles?
• You can apply an HTTP profile but no SSL profile on the F5 then send HTTPS traffic resulting in the F5 attempting to process the HTTP request but never finishing because it can never decrypt to actually view the HTTP data.
MarekHudakHi,
I am not sure if I understand what you are saying. Currently it is working, because certificate is on BIG-IP, but I would rather have certificate only on real server (member of the pool).
Please see config which is showing current setting. What do you think should be changed?
ltm virtual cmst.dieboldnixdorf.com-443 { destination 10.38.85.45:https ip-protocol tcp mask 255.255.255.255 pool cmst.dieboldnixdorf.com-8443 profiles { cmst.dieboldnixdorf.com { context clientside } diebold-http { } diebold-tcp { } serverssl { context serverside } } rules { Redirect_CMST } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 56 }Thank you
- Andrew-F5
- ltm virtual cmst.dieboldnixdorf.com-443 {
- destination 10.38.85.45:https
- ip-protocol tcp
- mask 255.255.255.255
- pool cmst.dieboldnixdorf.com-8443
- profiles {
- cmst.dieboldnixdorf.com {
- context clientside
- }
- diebold-http { } <---- Remove this
- diebold-tcp { }
- serverssl {
- context serverside
- }
- }
Your current configuration asks the F5 to manage an impossible situation of manipulating encrypted HTTP content (HTTPS/TLS) without being able to decrypt it.
You cannot use a client-side HTTP profile without a client SSL profile.
- MarekHudak
Thank you for complex explanation. But after removal of http profile, certificate will be still handled on BIG-IP yes? I would like to not handle certificate on BIG-IP, so BIG_IP will just forward it to member of the pool which will provide certificate for end user.
Thank you
- Andrew-F5
If you want to perform SSL passthrough then remove the HTTP profile, Client SSL profile and Server SSL profiles from the F5.
See https://support.f5.com/csp/article/K12015#vs2 for more details.