serverssl and ssl offloading (http to https)

Question

Hi, 
&nbsp; I'm trying to make ssl offloading on HTTP. 
&nbsp;  
&nbsp; Request comes from client via HTTP and on F5 I'm trying to tunel it on HTTPS to the server. 
&nbsp; For example client requests: http://www.f5.com and it comes via http to f5, then on F5 I make ssl connection to https://www.f5.com (client can view only http connection). 
&nbsp;  
&nbsp; I created 2 virtualservers: 
&nbsp; virtual virtualserver1 { 
&nbsp;    ip forward 
&nbsp;    destination any:any 
&nbsp;    mask none 
&nbsp;    vlans IN 
&nbsp;    OUT enable 
&nbsp; } 
&nbsp;  
&nbsp; virtual virtualserver2 { 
&nbsp;    pool nextrouter 
&nbsp;    destination any:80 
&nbsp;    mask none 
&nbsp;    ip protocol tcp 
&nbsp;    vlans IN enable 
&nbsp;    rules proxyit 
&nbsp;    profiles 
&nbsp;       serverssl 
&nbsp;       tcp 
&nbsp; } 
&nbsp;  
&nbsp; rule proxyit { 
&nbsp;    when  CLIENT_ACCEPTED { 
&nbsp;      node U.X.Y.Z 443 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp; Where U.X.Y.Z is IP address of interface where virtualserver1 listens (IN). 
&nbsp; pool nextrouter has IP address of next gateway. 
&nbsp;  
&nbsp; And now I can see packets, which comes in via IN interface, goes to virtualserver2 and that's all. 
&nbsp; Directive "node U.X.Y.Z 443" doesn't send packets to IN interface. 
&nbsp;  
&nbsp; Where can be the problem?

hooleylist · Answer

I'm not sure this would work, but can you try changing the iRule to:

when CLIENT_ACCEPTED { 
  
    node [IP::local_addr] 443 
 }

Also, is it a limited set of destination hosts which can/will be requested through the wildcard VIP?  If you do get this configuration working, I think you'll see failures when clients make an HTTP request to the VIP for a destination host which doesn't support SSL on port 443. 
  
 Aaron

bartek_krajnik_ · Answer

Trick with "node [IP::local_addr] 443 " doesn't work. 
&nbsp; Regards redirected clients I will enable it only for a few domains which support SSL on port 443. 
&nbsp;  
&nbsp; I still haven't any redirected packet after "node" directive. Any idea? 
&nbsp; Thx a lot.

bartek_krajnik_ · Answer

Can it be a problem with different software version? I'm using 9.6.1 and somone told me, that upgrade to version 10 can help. 
&nbsp; I can not upgrade it and strictly I need some solution on this version of software.

hooleylist · Answer

If you remove the proxyit iRule and define the nextrouter pool member(s) on port 443 does it work?  If not, do you see a server side connection attempted to the destination IP address? 
&nbsp;  
&nbsp; I can't think of a reason it should matter if you're running 9.6.x versus 10.x for this. 
&nbsp;  
&nbsp; Aaron

bartek_krajnik_ · Answer

If I add "forward" rule to iRule then it forwards packets. 
&nbsp; Adding "SSL::enable serverside" also redirects traffic, but as I think then I need to rewrite URL (http-&gt;https) and dest_port (80-&gt;443). 
&nbsp; I'm testing it just now.

Forum Discussion

serverssl and ssl offloading (http to https)

6 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

SSL Offload with HTTP/2.0

HTTPS offload rewriting

Activate serverssl profile in iRule

HTTP Multipart and Security Implications

The HTTP/2 CONTINUATION frame attack