configure port 443 to use ssl that is installed on Apache or Caddy server

Lukes · ‎17-Jun-2020

Hi,

Trying to open port 443 (https) without offloading ssl cert. If I dont setup any profile the BigIP does not forward traffic to my server. If I setup only server side SSL profile without any certificate, it forwards, but there is not information about requested host.

I cannot find any information how to do it properly.

Thank you for help

Luke

Mayur_Sutare · ‎18-Jun-2020

Hello As you are trying to skip ssl offloading on F5 and let server handle SSL handshakes, do not configure http profile, client and Server side SSL profiles on the Virtual Server. In this config, client will do ssl handshakes with actual web-server.

Just check settings, if SNAT is required to be enabled. If web-server gateway is not F5, you need to enable SNAT option otherwise it will cause asymmetric routing issue.

Hope it helps!

Mayur

Lukes · ‎18-Jun-2020

Hi Mayur,

I tried that options, and it still does not work. I tried the simplest option which was

the pool for that virtual server has one member 192.168.1.199 with the Service Port set to 0 (I selected *)

I also tried exactly what you said, which was not http profile, no ssl profile for client and server and selected SNAT

Any ideas? How to debug this stuff?

Mayur_Sutare · ‎18-Jun-2020

Now check for Route on F5 for Web-Server IP i.e. 192.168.1.199. Check if proper route is available. This will also cause issues.

Mayur

Lukes · ‎18-Jun-2020

When I ssh to F5 box I can do tracerout on 192.168.1.199 and it works. The Rout that I have on BigIP is only default on which is the gateway type for our public ip.

I have almost 100 Virtual Serves configured and everything works, however I never tried to skip ssl offloading. I cannot believe that it is that complicated. Unless there is a bug in BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2

Lukes · ‎18-Jun-2020

Also, for everybody else, I am trying to run Caddyserver v2. The idea is that the whole application is configured in Caddy and F5 BigIP is pure firewall and if it is possible load balance.

Lukes · ‎18-Jun-2020

I run a few tests. I run openssl externally and internally, and the external one did not receive any response.

Internal:

openssl s_client -connect 192.168.1.199:443 -cipher 'DEFAULT:!ECDH'

CONNECTED(00000003)

3073623740:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 161 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

External:

openssl s_client -connect next-app.XXXX.com:443 -cipher 'DEFAULT:!ECDH'

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 292 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

Lukes · ‎18-Jun-2020

Thank you Mayur for help. I finally fixed it by enabling Address Translation and Port Translation and setting Source Address Translation to AutoMap. Just two checkboxes fixed all issues. Now my Caddyserver v2 aoutoconfigure ssl and runs website without problems. Love it.

DevCentral

configure port 443 to use ssl that is installed on Apache or Caddy server

MFA required on DevCentral