Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

protect cloudfront service whit asm VE AWS

omar_padilla
Altostratus
Altostratus

Hello, I am trying to protect a web application that is hosted in aws, but it turns out that before directing the traffic to the backend servers first for a cdn, (cloudfront), the F5 is in front of the coudfront, the traffic is seen entering the F5 However, when the traffic is sent to the backed (cloudfront) I see ssl proxy problems in the logs, when I remove the ssl profiles (client and server) the service works, I have checked that the profiles are well created, in the captures you see that there is a problem with the ssl negotiation with the backed (ckoudfront), if the cloudfront is consumed directly by https it works correctly

0691T000009jy5hQAA.png

 

pcap

 

0691T000009jy3mQAA.png

1 REPLY 1

Simon_Blakely
F5 Employee
F5 Employee

Well, it looks like the ServerHello from the Cloudfront server does not meet the server-ssl profile requirements, and the BigIP terminates the connection. You have to figure out what works, and make sure that the server-ssl profile matches.

 

Look at the incoming client-side ClientHello. The outgoing server-side ClientHello needs to match as closely as possible. Check for a Server-Name Indication extension on the server-side. Check the supported TLS protocols and ciphers.

 

Craft a specific server-ssl profile to ensure that as closely as possible, the ClientHello requests match.