Forum Discussion

phillip-Newbie's avatar
phillip-Newbie
Icon for Nimbostratus rankNimbostratus
Mar 19, 2021

F5 and the way forward

Hello,

 

 I have the following test server configuration .. 

 

1) a third party bespoke application that allows https to be setup within that application. the application has its own maintenance web pages as well as server traffic

 

2) apache server

 

3) F5 

 

 

 

I am trying to work out whats the best way to implement https in this configuration as I have some knowledge but I need to improve that knowledge.

 

 

a) I can implement SSL offloading on F5 which should be enough for the clients, if there was a possibility of contacting the server directly this would mean that I would also have to apply https to the third party application.

 

b) I can implement on F5 a "client, server" ssl profile with a server private key / server cert and check the "proxy ssl" box - Essentially what this proxy ssl solution does is a bulk encrypt and decrypt which can happen between the client / F5 / server.  

 

c) The next idea would be an SSL forward proxy solution - "local CA" on F5 and "geotrust CA" on the server which would then allow the BigIP to "forge" a certificate for the domain name on the server which would be done via the trust relationship with the local CA. Basically, this would remove the trust relationship from the server and move it to F5 Big-IP

 

I am tempted to go for option B which would cover the application and F5

I appreciate that its hard given the brief description above but that's as much as I have at the moment.

Someone suggested using different keys on the F5 and the bespoke application, but I can not see how this would work given my knowledge of F5, as it would require two ssl certs to be authenticated which does not make sense to me and would not work from my knowledge.

 

Anyone got a good suggestion? 

6 Replies

  • Morning Alex,

    First of all thank you for responding to my question.

     

    I totally agree with what you are saying and normally I would suggest this,

    but consider that a group of developers could deliver to that environment several fix's, lets say "performance fixes together with bug fixes" and something goes wrong and its time critical. For that environment to be locked down then the "sprint" would have come and gone before the issue could be diagnosed.

    I opened the thread for a general discussion to ...

    1) improve my thinking around this subject area

    2) to look at options that I might have missed.

    3) I want an option of flexibility that will allow developers to diagnose an issue before it gets production when either myself or the testers flag issues with the code drop.

    4) You can never stop learning and someone out there is better than myself for sure.

     

    At no point do I say that you are wrong as you are correct!

    I am looking for a flexible approach that I could trouble shoot when required. I have no doubt that this last comment will open up a debate for sure :-)

     

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      Note - I'm a F5 newbie. but :) the approach I would take - and trying to keep it simple. KISS

      is move SSL to the F5 make every one connect via here. if you have multipaths it just causing pain.

       

      You want a break fix solution, put in a policy , irule, or ??? something that gives the devs emergency access if needed, straight through rule, that is only ip based or some limiting factor.

       

      if the problem is the app being behind a reverse proxy .. well that will need some testing before hand.

       

      But ... I don't know your environment so ... there might be other mitigating factors

       

      • phillip-Newbie's avatar
        phillip-Newbie
        Icon for Nimbostratus rankNimbostratus

        Afternoon Alex,

         

        First of all thanks for responding again !

         

        I have been looking at various F5 documents and came to the conclusion that if I was to implement a "Full SSL Proxy / SSL Re-Encryption /" solution with apache ModSecurity then this would give me a load balancer using SSL and a WAF behind the load balancer to filter out attacks.

        I came to the conclusion that SSL up to the apache reverse proxy server would be in force. The documentation says that ModSecurity would remove the SSL after apache modsecurity has examined the https request.

        Surely, modsecurity would be sufficient to filter out attacks? Freeware Hmmmm !!!

         

        Then I might be completely wrong and I have missed something obvious, and there could be a better solution out there?

         

        I did go down the path of moving SSL to F5 only (SSL offloading) but then including the WAF after the LB to provide additional security was a cause for concern as this should be SSL encrypted communication.

         

        Locking down ports and implementing access control was then my next thought.

         

        The post was to see what a wider audience could suggest but there appears to be very few people who want to discuss this area?

        Thanks for responding Alex !

         

         

        Documents read

        https://www.f5.com/company/blog/where-does-a-waf-fit-in-the-data-path

        https://support.f5.com/csp/article/K65271370

        https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch01-introduction.html

  • Morning Alex,

    Yes, nginx was something that I considered and it looks like a similar product to modsec, but nginx appears to have a few more bells and whistles. I do not know this product (nginx) to be honest.

     

    Forums are not about being perfectly correct but about helping others with constructive ideas and suggestions. Forums help people to be better people by helping others when they have questions but unfortunately my post was read by a large number of people and ignored before you answered. And still ignored :-)

     

    We all go through a learning curve and stumble at a hurdle, its how the people around you help you with that hurdle.

     

    Thanks!

     

    For reading (I know its the other way round but its worth a read)

    https://www.nginx.com/blog/when-how-to-migrate-your-f5-big-ip-load-balancer/