SSL Offloading for specific IPs or range of IPs

maadavan · ‎05-Jun-2023

Current flow is as below

Client -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).

Certificates that do TLS offloading has F5 LTM DNS as CN/SAN.

For a migration of my on premise application stack to cloud, I need to achieve below two cases.

Client -> F5 LTM (SSL offloading for specific client IPs & Reencrypt TLS) -> New Stack cloud Application

Client -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).

I have went through Bypass ssl offloading to certain IPs - DevCentral (f5.com) & SSL Offloading using iRules - DevCentral (f5.com). But not the exact case. Would wanted to confirm with experts here in thr forum please. Can someone kindly shed some light & a small example please?

JRahm · ‎05-Jun-2023

Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)

when CLIENT_ACCEPTED priority 500 {
    if {[class match -- [IP::client_addr] equals offload_ips]} {
        SSL::enable
        pool new_stack_cloud_application
    } else {
        SSL::disable
        pool on_premise_applications_servers
    }
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

View solution in original post

Daniel_Wolf · ‎05-Jun-2023

@JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthrough, and make use of K14800: Order of precedence for virtual server matching.

Order	Destination	Source	Port
1	(host address)	(network address)	(port)
2	(host address)	*	(port)

For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).

KR
Daniel

View solution in original post

JRahm · ‎05-Jun-2023

Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)

when CLIENT_ACCEPTED priority 500 {
    if {[class match -- [IP::client_addr] equals offload_ips]} {
        SSL::enable
        pool new_stack_cloud_application
    } else {
        SSL::disable
        pool on_premise_applications_servers
    }
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

maadavan · ‎05-Jun-2023

Thanks JRahm, this helps!

JRahm · ‎05-Jun-2023

untested...make sure to test in a lab! if you have trouble I might be able to mock up tomorrow.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

maadavan · ‎05-Jun-2023

Unfortunately I dont own F5 LTM environment to test it. So would be passing across your solution to them. Would let you know in case of any issues during implementation. Thanks much.

Daniel_Wolf · ‎05-Jun-2023

@JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthrough, and make use of K14800: Order of precedence for virtual server matching.

Order	Destination	Source	Port
1	(host address)	(network address)	(port)
2	(host address)	*	(port)

For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).

KR
Daniel

maadavan · ‎06-Jun-2023

Hi Daniel,

Thanks for additional solution. Will weigh out this approach as well. But here for each phase of migration, when I need to add client IP / Inbound Source IP address, I need to make changes in Virtual Server Config which is bit risky isn't it? With iRules, I would need to edit "offload_ips" data group alone. Something similar to config management.

Daniel_Wolf · ‎06-Jun-2023

Hi @maadavan,

you would either have to add the IP addresses to the datagroup or to the access list, but not to the virtual server directly. So it is equally risky. Not risky at all, in my opinion.

KR
Daniel

maadavan · ‎06-Jun-2023

Hi Daniel,

Thanks for clarifying. On that case, happy with multiple feasible solution. Will forward both viable solution to F5 implementation team for their views & ease of implementation & maintenance.

Thanks once again.

Cheers,

Maadavan

JRahm · ‎06-Jun-2023

@Daniel_Wolf HOW DARE YOU BEG TO DIFFER!! 😎

But seriously, 💯 on only using iRules where necessary. @maadavan, this solution is definitely the way to go!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

Daniel_Wolf · ‎06-Jun-2023

I'm always looking for trouble... 😁😁😁

maadavan · ‎06-Jun-2023

Thanks for clarifying & providing quick solutions @JRahm , @Daniel_Wolf

DevCentral

SSL Offloading for specific IPs or range of IPs

MFA required on DevCentral