Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

How to configure virtual server with web server that requires ssl certificate from clients ?

Gebo
Nimbostratus
Nimbostratus

‎12-Oct-2023 02:40

Greetings everyone,

My environment is basically a web hosting datacenter, some web applications  requires ssl authentication from clients attempting to connect with these services. The web server it self is the one doing this authentication.

I need to know how to configure the virtual server in order to pass the certeficate presented by the client to the web server it self ( or a work around of course that would fullfil the same purpose).

Currently, such applications' virtual servers are set as preformance (layer4), ie no inspection is done.

I think this has a relation with server ssl profile , which i dont quiet understand.Here are some work arounds i thought about:

1- I link my f5 to my active directory and let the f5 the one require the ssl certificate and authenticate the user.

2- There is a Virtual server type that i dont know about that can pass client certificate to the web server.

 

My current f5 version is 16.1.3 running as a virtual machine.

Labels:
0 Kudos
2 REPLIES 2

Mohamed_Ahmed_Kansoh
MVP
MVP

‎12-Oct-2023 05:27

Hi @Gebo , 

F5 Bigip can do this , bigip IP can give the servers the upper hand to terminate ssl connections without intervensions by using the proxy ssl feature  , look at this articles contain more details and steps to do that : 
https://my.f5.com/manage/s/article/K13385
https://techdocs.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administratio...

using proxy ssl leverages you : 

  • The BIG-IP system to process encrypted application traffic.
  • The server to retain final authority to directly authenticate and grant access to the client.
  • To use the following BIG-IP system functions:
    • The iRules read or write application data.
    • The BIG-IP ASM security policy inspects and protects web application traffic.
    • The BIG-IP AAM system optimizes application traffic.
    • The system passes client certificates to servers that require mutual authentication.

I hope this helps you 🙂 

 

_______________________
Regards
Mohamed Kansoh

F5_Design_Engineer
MVP
MVP

‎12-Oct-2023 22:53

Hi Gebo,

HTTP profiles are not compatible with virtual servers that perform HTTPS passthrough like LAYER 4 performance VIPs , since the HTTP profile cannot see any of the HTTP headers or content inside the SSL encrypted packets passing through the virtual server.

Moreover, applying an HTTP profile to an HTTPS passthrough virtual server can actually break the virtual servers functionality, or impact the performance of the application hosted by the virtual server. 

To perform a data inspection for encrypted (HTTPS) traffic, you must associate the Secure Sockets Layer (SSL) profile to a standard virtual server so that it can decrypt and re-encrypt the traffic passing through the virtual server.

F5 recommends that you use the HTTPS profile with a standard virtual server instead of a Layer 4 virtual server 

When you assign an HTTP profile to a Layer 4 virtual server, you can use this combination only to gather statistics on HTTP data, as well as with some iRule commands that perform HTTP data read-only operations.

The following list describes the limitations of the HTTP profile when you use it with the Layer 4 virtual server:

  • You cannot manipulate HTTP data, such as modifying the HTTP header.
  • You cannot associate the HTTP compression profile with the Layer 4 virtual server.
  • You cannot associate the Web Acceleration profile with the Layer 4 virtual server.
  • Any iRule commands that attempt to manipulate HTTP data will result in and error and a connection reset.
  • To trigger HTTP iRule events, the virtual server must access all packets in a connection.
  •  
  • If the FastL4 profile allows connections where the BIG-IP system does not access all packets (for example when the Loose Init or Loose Close options are enabled), then the HTTP profile may be ineffective.

    Note: For more information, refer to K12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors.

     

    HTH

    🙏

    HaveahappydayYayGIF.gif

0 Kudos
Copyright © 2023 Khoros, LLC