Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL off-loading and secure WebSocket

vtortola_141944
Nimbostratus
Nimbostratus

Hi,

 

We have a Big-IP load balancer, and we are planning to publish a web application that uses secure WebSockets (WSS).

 

We are a little bit concerned about how the load balancer is going to handle this situation, because the SSL offloading. Is there anything special we have to configure or taken care off?

 

Clients will send an HTTPS request with a WebSocket handshake, that includes the HTTP headers "Upgrade:websocket" and "Connection:Upgrade". Will the load balancer populate those headers to the web server? Will the load balancer understand that those connections are persistent and non-HTTP?

 

Thanks.

 

8 REPLIES 8

nitass_89166
Noctilucent
Noctilucent

it is supported in 11.4.0 or later.

 

prior 11.4.0, you can use tcp virtual server with clientssl/serverssl profile or http virtual server with clientssl/serverssl profile and irule to disable http profile for websocket traffic.

 

sol14754: BIG-IP support for the WebSocket protocol

 

http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14754.html

 

That link does not say anything about WSS and SSL off-loading.

nitass
F5 Employee
F5 Employee

it is supported in 11.4.0 or later.

 

prior 11.4.0, you can use tcp virtual server with clientssl/serverssl profile or http virtual server with clientssl/serverssl profile and irule to disable http profile for websocket traffic.

 

sol14754: BIG-IP support for the WebSocket protocol

 

http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14754.html

 

That link does not say anything about WSS and SSL off-loading.

sachin_80710
Nimbostratus
Nimbostratus

On askf5 we don't find any document that explain how to configure websocket on 11.4.0 n later

 

nitass
F5 Employee
F5 Employee

i understand what it does is to disable http profile when detecting upgrade header (ssl profile is still applied).

 

Kevin_Stewart
F5 Employee
F5 Employee

If I may add, the point is that the F5 doesn't really understand the WSS protocol messages, so the HTTP profile would likely break it. If you don't use an HTTP profile and simply treat the traffic as TCP data, you can offload the SSL and optionally re-encrypt without touching the layer 7 data. It'd be like passing any other non-standard TCP-based protocol through the F5.

 

Danish
Altocumulus
Altocumulus

I also have a similar requirement. Were you able to get a solution