Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Policies to move HTTPS traffic

John_Krum
Cirrus
Cirrus

I am trying to share a 443 NAT on a firewall sending traffic to the LTM. Once it gets to the F5 I want formview.xxx.org to go to pool-Forms and WEBview.xxx.org to go to pool-WEB. Is that possible with HTTPS traffic? Do the nodes need to use http?

 

Its been 10 years since I have worked on LTMs - I have a fair amount of refreshing and catching up. Thanks in advance.

John

19 REPLIES 19

Daniel_Wolf
Nacreous
Nacreous

Hi John,

 

yes, it is possible. You could use LTM Traffic Policies to match the HTTP Host value and forward traffic to the pool accordingly. Get started with this article: devcentral - LTM Policy

A policy rule could look like this

0691T00000CqDBTQA3.pngAnd for the SSL profile take a look at this solution: K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indicatio...

With SNI you can configure which SSL certificate will be used to authenticate the VS to the client and to secure the connection.

 

KR

Daniel

 

 

I have looked at the first reference link earlier as well. Here is more detail regarding what I am trying to accomplish. I have a outside firewall NAT for incoming 443 traffic on 96.103.236.222 that forwards that traffic to a LTM VIP 192.168.5.5 listening on 443. I am trying to have sites Viewforms.mycompany.org And Employee.mycompany.org (I am also thinking it might be better to do Mycompany.web.org/viewforms And Mycompany.web.org/employees But the first one is preferred) The VIP is basic. HTTP profile is HTTP – I have to select a http or a http-connect profile (this is where I am not sure why I require an http profile, it makes me think that the server connection is http) Automap Resources I don’t have a default pool selected (I did to verify I get the login page prior to adding a policy) Policy is DMZ-Cop DMZ-Cop is Match HTTP Host -> host -> is -> any of -> Viewforms.mycompany.org or viewforms -> at request time Do the following Forward traffic -> to pool -> viewforms-pool When I https to the page Viewforms.mycompany.org I do not see any policy statistics, invoked or succeeded. I haven’t tried adding any info for the second site. Once I change the VIP config http profile (client) to http – I no longer connect to the login page. I do see TCP handshake, Client Hello, and an ACK to that. 1.5 seconds later a FIN from my side. Thanks John Krumenacher

This is gonna be a detailed one...

First of all the virtual server - you mentioned that publishing the virtual server with port 443.

So your virtual server should have a HTTP profile and several clientside SSL profiles.

No serverside SSL and also using SNAT Automap (in prod I'd use SNAT Pool).

In this example I have one for each FQDN.

This is how my VS looks like.0691T00000CqE3fQAF.pngOne of the clientside SSL profile has the checkbox "Default SSL Profile for SNI"checked.

0691T00000CqE4nQAF.pngAll others have only a Server Name set.

0691T00000CqE5CQAV.pngHowever all SSL profiles have the same Key / Cert, but all FQDNs are in the SAN.

0691T00000CqE8LQAV.pngAnd finally this is my LTM Traffic Policy for content switching based on FQDN.

0691T00000CqE9nQAF.pngYou could add a logging action too, to each rule to check whether the condition is matched.

 

Daniel, Are you sending screen shots as well? This is what I am seeing. [cid:image004.jpg@01D7733B.FF300200] I have added a copy of the clientssl which I added the option Default SSL Profile for SNI. It was the default_ssl_sni line item that made me think there was more to the picture that I should be referencing as well. Thanks John Krumenacher

I cannot see the screenshot you sent, but I would say this solution is covering all required configurations: https://support.f5.com/csp/article/K13452

O.K. Thank you, I do see the additional links in the article should add additional detail and follow your outline. FYI – if you were sending screen shots, they were not showing up in email or viewed as a web page. Just small icons. Thanks again, John Krumenacher

Good afternoon Daniel, A couple of things. I learned here that I should follow the thread online. I do see the images there. I noticed that today, but in the mean time I did go through the article step by step and it to was helpful. I am waiting for the server team to generate a new cert to be used by both servers, with the same common name and each FQDN in the SAN section. Thanks John Krumenacher

Good Afternoon Daniel,

I have followed your guide, and the tech doc. to create the VIP/Policy and SSl profiles. I added logging as well to the policy. I am getting log entries for this policy. I have compared pcaps from going through the VIP and going directly to the server. I have captured on both the client side and server side of each. (on the VIP captures) I see the Client hello - client side, client key exchange - server side and a cipher secs finish - client side.

 

On the client side capture there is a server hello - change cipher specs and

a change cipher specs finished

that is not present in the client to server capture (no LTM)

an HTTP get / http/1.1 with the full URI https://view.mycomp.org

 

the vip ACKs the change cipher specs

ACKs the Get

and sends a RST

 

On the server side capture I get a encryption alert 21 from the VIP.

 

I think I am making progress.

 

Any ideas for me on this?

Thank you,

John

I am not quite sure if I understand you. You took a capture accessing the webserver directly and another one accessing via the BIG-IP.

What is missing in the capture you took on the BIG-IP? The handshake between your client and the BIG-IP, or between the BIG-IP and server?

 

Can you share some snippets from your config and/or the captures?

I log - hit viewcenter in my policy.

Sorry about that last reply... Let me take a few and post.

I log at the policy.

 

0691T00000CqQXIQA3.png

Here is the server side/client side pcap snippets. SNAT is 10.0.8.2. Client is 10.10.1.89. I think the dups are due to VPN in to the network. 0691T00000CqQYGQA3.png0691T00000CqQY6QAN.png

0691T00000CqQc3QAF.png0691T00000CqQbtQAF.png0691T00000CqQbjQAF.png

So it looks like your pool member is listening on https, correct? In this case you are missing a server-side SSL profile in your VS config.

I created a server side ssl profile and added it to the VIP. I will include 4 shots of both client and server profiles for you to check out. I use the same cert and key for both sides, and passphrase. on the server profile2 I tested it with just Default SSL for SNI checked, Just Server Name added and then as you see it with both. My client side pcap looks the same as yesterday. Thanks again for all your time with this. I am much closer. 0691T00000CqTIzQAN.png0691T00000CqTICQA3.png0691T00000CqTIpQAN.png0691T00000CqTIQQA3.png

Daniel,

HEY HEY, I figured it out. I missed something so blatant I am too embarrassed to post it... Just kidding. When I added logging to do the following when traffic is matched. I never added back in the forward traffic to the pool. No kidding.

 

Thanks again for all your help.

 

John

John, if you think that any of my answers has helped you solve your issue please mark it as "Best answer".

It can happen... sometimes you get lost in debugging... 🙂

Daniel, Looking closer at the pcaps and the conf VS to serve multiple HTTPS sites I switched up my policy. Now I can see that the policy is getting both invoked and succeeded hits of equal amounts. DMZ-Cop is Match SSL Extension -> server name -> is -> any of -> Viewforms.mycompany.org or viewforms -> at client hello Do the following Forward traffic -> to pool -> viewforms-pool I have the same end results. No Server hello in reply to the client hello. I assume this is due to the fact that the server has the cert and I am directing traffic to it via a profile? [cid:image003.jpg@01D77337.919E86C0] Thanks again, John Krumenacher