Afternoon Alex,
First of all thanks for responding again !
I have been looking at various F5 documents and came to the conclusion that if I was to implement a "Full SSL Proxy / SSL Re-Encryption /" solution with apache ModSecurity then this would give me a load balancer using SSL and a WAF behind the load balancer to filter out attacks.
I came to the conclusion that SSL up to the apache reverse proxy server would be in force. The documentation says that ModSecurity would remove the SSL after apache modsecurity has examined the https request.
Surely, modsecurity would be sufficient to filter out attacks? Freeware Hmmmm !!!
Then I might be completely wrong and I have missed something obvious, and there could be a better solution out there?
I did go down the path of moving SSL to F5 only (SSL offloading) but then including the WAF after the LB to provide additional security was a cause for concern as this should be SSL encrypted communication.
Locking down ports and implementing access control was then my next thought.
The post was to see what a wider audience could suggest but there appears to be very few people who want to discuss this area?
Thanks for responding Alex !
Documents read
https://www.f5.com/company/blog/where-does-a-waf-fit-in-the-data-path
https://support.f5.com/csp/article/K65271370
https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch01-introduction.html