Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

protect cloudfront service whit asm VE AWS


Hello, I am trying to protect a web application that is hosted in aws, but it turns out that before directing the traffic to the backend servers first for a cdn, (cloudfront), the F5 is in front of the coudfront, the traffic is seen entering the F5 However, when the traffic is sent to the backed (cloudfront) I see ssl proxy problems in the logs, when I remove the ssl profiles (client and server) the service works, I have checked that the profiles are well created, in the captures you see that there is a problem with the ssl negotiation with the backed (ckoudfront), if the cloudfront is consumed directly by https it works correctly







F5 Employee
F5 Employee

Well, it looks like the ServerHello from the Cloudfront server does not meet the server-ssl profile requirements, and the BigIP terminates the connection. You have to figure out what works, and make sure that the server-ssl profile matches.


Look at the incoming client-side ClientHello. The outgoing server-side ClientHello needs to match as closely as possible. Check for a Server-Name Indication extension on the server-side. Check the supported TLS protocols and ciphers.


Craft a specific server-ssl profile to ensure that as closely as possible, the ClientHello requests match.