protect cloudfront service whit asm VE AWS

Question

Hello, I am trying to protect a web application that is hosted in aws, but it turns out that before directing the traffic to the backend servers first for a cdn, (cloudfront), the F5 is in front of the coudfront, the traffic is seen entering the F5 However, when the traffic is sent to the backed (cloudfront) I see ssl proxy problems in the logs, when I remove the ssl profiles (client and server) the service works, I have checked that the profiles are well created, in the captures you see that there is a problem with the ssl negotiation with the backed (ckoudfront), if the cloudfront is consumed directly by https it works correctly

pcap

simon_blakely · Answer

Well, it looks like the ServerHello from the Cloudfront server does not meet the server-ssl profile requirements, and the BigIP terminates the connection. You have to figure out what works, and make sure that the server-ssl profile matches.

Look at the incoming client-side ClientHello. The outgoing server-side ClientHello needs to match as closely as possible. Check for a Server-Name Indication extension on the server-side. Check the supported TLS protocols and ciphers.

Craft a specific server-ssl profile to ensure that as closely as possible, the ClientHello requests match.

Forum Discussion

protect cloudfront service whit asm VE AWS

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Protect Your Adobe Commerce Site with F5 Distributed Cloud Services

F5 Essential App Protect and AWS CloudFront - Better Together.

Beyond REST: Protecting GraphQL

Protect Your Adobe Commerce Site with F5 Distributed Cloud Services (Part 2)