Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

protect cloudfront service whit asm VE AWS

omar_padilla
Altocumulus
Altocumulus

‎01-Dec-2020 13:36

Hello, I am trying to protect a web application that is hosted in aws, but it turns out that before directing the traffic to the backend servers first for a cdn, (cloudfront), the F5 is in front of the coudfront, the traffic is seen entering the F5 However, when the traffic is sent to the backed (cloudfront) I see ssl proxy problems in the logs, when I remove the ssl profiles (client and server) the service works, I have checked that the profiles are well created, in the captures you see that there is a problem with the ssl negotiation with the backed (ckoudfront), if the cloudfront is consumed directly by https it works correctly

0691T000009jy5hQAA.png

 

pcap

 

0691T000009jy3mQAA.png

Labels:
0 Kudos
1 REPLY 1

Simon_Blakely
F5 Employee
F5 Employee

‎01-Dec-2020 14:16

Well, it looks like the ServerHello from the Cloudfront server does not meet the server-ssl profile requirements, and the BigIP terminates the connection. You have to figure out what works, and make sure that the server-ssl profile matches.

 

Look at the incoming client-side ClientHello. The outgoing server-side ClientHello needs to match as closely as possible. Check for a Server-Name Indication extension on the server-side. Check the supported TLS protocols and ciphers.

 

Craft a specific server-ssl profile to ensure that as closely as possible, the ClientHello requests match.

0 Kudos
Copyright © 2023 Khoros, LLC