NimbostratusI have a VIP that does SSL pass-trough (F5 doesn't offload any SSL_, so I can't use a http profile but I would like to have X-Froward enabled.
Is there a way to accomplish that?
Thx,
Vedran
CirrostratusHello Vedran,
You can't add the XFF without HTTP profile.
Also if you don't terminate the SSL on the F5, the system cannot manage headers since the full headers and body are encrypted.
If you want to add the XFF you should at least make SSL Bridging.
Which means that you will have an SSL tunnel btw the client and the F5 and another one btw the F5 and the backend server.
Regards
EmployeeWhile @JTI is correct, there is an option if you can install the server certificate and key on the LTM and are willing to set the server to only accept RSA ciphers.
Proxy SSL allows the LTM to inspect and modify SSL traffic with a HTTP profile, while still maintaining SSL negotiation passthrough for Client Certificate Authentication directly with the server.
However, the LTM must have the server certificate and key installed, and only RSA ciphers are permitted. You can either reject non-RSA ciphers, or non-RSA will pass-through without inspection/modification.
Proxy SSL supports only the RSA key exchange. For proper functioning, the client and server must not negotiate key exchanges or cipher suites that Proxy SSL does not support, such as the Diffie-Hellman (DH) and Ephemeral Diffie-Hellman (DHE) key exchanges, and the Elliptic Curve Cryptography (ECC) cipher suite. To avoid this issue, you can either configure the client so that the ClientHello packet does not include DH, DHE, or ECC; or configure the server to not accept DH, DHE, or ECC.