cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

configure port 443 to use ssl that is installed on Apache or Caddy server

Lukes
Altostratus
Altostratus

Hi,

Trying to open port 443 (https) without offloading ssl cert. If I dont setup any profile the BigIP does not forward traffic to my server. If I setup only server side SSL profile without any certificate, it forwards, but there is not information about requested host.

 

I cannot find any information how to do it properly.

 

Thank you for help

Luke

7 REPLIES 7

Hello   As you are trying to skip ssl offloading on F5 and let server handle SSL handshakes, do not configure http profile, client and Server side SSL profiles on the Virtual Server. In this config, client will do ssl handshakes with actual web-server.

 

Just check settings, if SNAT is required to be enabled. If web-server gateway is not F5, you need to enable SNAT option otherwise it will cause asymmetric routing issue.

 

Hope it helps!

Mayur

Lukes
Altostratus
Altostratus

Hi Mayur,

 

I tried that options, and it still does not work. I tried the simplest option which was

0691T000008tj11QAA.png

the pool for that virtual server has one member 192.168.1.199 with the Service Port set to 0 (I selected *)

 

I also tried exactly what you said, which was not http profile, no ssl profile for client and server and selected SNAT

 

Any ideas? How to debug this stuff?

Now check for Route on F5 for Web-Server IP i.e. 192.168.1.199. Check if proper route is available. This will also cause issues.

 

Mayur

Lukes
Altostratus
Altostratus

When I ssh to F5 box I can do tracerout on 192.168.1.199 and it works. The Rout that I have on BigIP is only default on which is the gateway type for our public ip.

 

I have almost 100 Virtual Serves configured and everything works, however I never tried to skip ssl offloading. I cannot believe that it is that complicated. Unless there is a bug in BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2

Lukes
Altostratus
Altostratus

Also, for everybody else, I am trying to run Caddyserver v2. The idea is that the whole application is configured in Caddy and F5 BigIP is pure firewall and if it is possible load balance.

Lukes
Altostratus
Altostratus

I run a few tests. I run openssl externally and internally, and the external one did not receive any response.

 

Internal:

openssl s_client -connect 192.168.1.199:443 -cipher 'DEFAULT:!ECDH'

CONNECTED(00000003)

3073623740:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 161 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

 

External:

openssl s_client -connect next-app.XXXX.com:443 -cipher 'DEFAULT:!ECDH'

CONNECTED(00000003)

 

 

 

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 292 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

 

 

 

 

Lukes
Altostratus
Altostratus

Thank you Mayur for help. I finally fixed it by  enabling Address Translation and Port Translation and setting Source Address Translation to AutoMap. Just two checkboxes fixed all issues. Now my Caddyserver v2 aoutoconfigure ssl and runs website without problems. Love it.