Forum Discussion
1. Yes, it is encrypted and secure.
2. Yes, it is common and much better than plain text if you need some server-side protection. The TLS algorithms already provide a good level of security even if someone is able to get hold of the encrypted traffic.
3. I'm not sure about your set up but when you configure an HTTPS monitor, you attach a Server SSL profile to it. You can then add your self-signed certificate to BIG-IP's "Trusted Certificate Authorities" so BIG-IP can trust your self-signed server certificate and set "Untrusted Certificate Response Control" to "drop". Set "Server Certificate" to "Require" so that BIG-IP can validate your server certificate and add your server's CN to "Authenticate Name". For more information you can check this link here. I also have an article on TLS authentication mostly for client side but the fields are quite similar with examples so you can understand it more in-depth.
Let me know if you need further help.
- Danny_ArroyoJul 13, 2022Cirrus
Rodrigo_AlbuqueThanks for your response. I should've included how we create our VIPs. This is a standard VIP that we configure:
1. We configure an HTTP and HTTPS VIP. The HTTP VIP has a policy to redirect to HTTPS
2. We configure the HTTPS VIP as a Standard VIP with a ClientSide HTTP Profile, Clientside SSL Profile and ServerSide SSL Profile. We use "Auto Map" and all other settings are default.
3. The Clientside SSL Profile has a custom profile with the "clientssl" set for the parent profile, Trusted certificate with a custom cipher group. The ServerSide SSL Profile has a custom profile with the "serverssl" set for the parent profile, "Default" for the cipher suite and "Trusted Certificate Authorities" set to "ca-bundle.crt". We do not add any of our self-signed certs to the Big-IPs "Trusted Certificate Authorities".
4. On the "Resources" tab, we have the pool (configured to use the SSL port on the pool member), Default persistence Profile is "cookie", fallback persistence Profile is "Source_Addr"So given our setup, are we still secure?
I did not know about item #3 you listed. I will look into implementing this in a test VIP to see how it works and then go from there. What will this actually do for us that is not happening today?
- Jul 14, 2022
As mentioned in my previous answer, it is important to setup the https monitoring properly.
It might happen, that your (bigd) https monitor marks the poolmember as up while the (tmm) traffic breaks.
This comes by the default monitoring behaviour (handled by bigd) which is not validating the server (poolmember) certificates, even if you assign a specific serverssl profile.
Please make sure to enable the In-TMM monitoring for proper server cert validation.
- Danny_ArroyoJul 14, 2022Cirrus
Thanks for this information Stephan. I was not aware of this either. I will read through the link you provided and get this implemented.
However, based on the standard configuration of our VIPs on the BigIP (that I listed in my last reply), are we still doing end to end encryption? I am concerned because currently, we dont add the self-signed certificate to the BIG-IP's "Trusted Certificate Authorities". And from what Rodrigo_Albuque mentioned it means that the self signed cert is not trusted. Therefore is our traffic from the BigIP to our Pool members secure?