Forum Discussion

Jim_M's avatar
Jim_M
Icon for Cirrus rankCirrus
Sep 06, 2022

supporting a http2 sni website with f5 ltm?

I have a website which is working fine directly from browser to server. But not via f5 (v16.1.2).

The session uses https 443, tls1.2, http2.0, and the server relies on SNI. When via F5, the client browses https://app.external.com.  F5 presents a wildcard cert for external.com which the browser is happy with.  F5 forwards to backend https://server.internal.com.  The node in the pool uses FQDN to resolve server.internal.com. I have tried using host header replacement via an irule to enforce host header being server.internal.com. I have tried creating a custom server side ssl profile which has the "server name" field set to server.internal.com.

Unfortunately the backend still does not see the traffic as being for https://server.internal.com in the same way that a direct browser session would behave. Is there irule logging i can apply to see exactly what request is being sent from F5 to the backend?

application delivery
LTM

8 Replies

Sort By
  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Sep 06, 2022

    I believe you're on the right lines by including the server name in the server SSL profile, but I think (even if there's only one profile) you have to enable the "serverssl-use-sni" feature on the Virtual Server: https://support.f5.com/csp/article/K39408450

    If that isn't working then you could probably pull the SNI field out of the server side connection using iRules and the SSL::extensions command. Kai_Wilke has an example of inserting the SNI header here (which is an alternative for versions earlier than 15.1.x or if you didn't want to use multiple SSL profiles and the serverssl-use-sni featurea) which could be used as the basis to build a rule to extract and log the header instead.

  • AubreyKingF5's avatar
    AubreyKingF5
    Icon for Admin rankAdmin
    Sep 06, 2022

    Not to rock any boats, but the distributed cloud prefers SNI. It's remarkably easy to get going.

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Sep 06, 2022

    Where are you seeing the problem - is it on the back-end SSL handshake? What is the serverSSL profile configuration? Does the server.internal.com server have a wildcard certificate as well? 

     

  • Jim_M's avatar
    Jim_M
    Icon for Cirrus rankCirrus
    Sep 07, 2022

    Sorry for the ignorance; what is "the distributed cloud"?

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Admin rankAdmin
      Sep 19, 2022

      F5's Distributed Cloud (or XC) is the next generation platform for ADC from F5. It's a VERY different methodology than BigIP. F5's "devices" for XC, or Customer Edge Nodes, are actually SDN routers, not ADC appliances. 

  • P_Kueppers's avatar
    P_Kueppers
    Icon for MVP rankMVP
    Sep 09, 2022

    So the problem is only that ur sending app.external.com to your node but you have this hostname not configured and your node only listen to server.internal.com? So a simple Hostname Header rewrite is enough? Then create a LTM Policy with when host is app.external.com rewrite to server.internal.com 

    iRule for logging? something like this 

    when HTTP_REQUEST_RELEASE {
   log local0. "Client [IP::client_addr] This is the HTTP Host [HTTP::host]"
   log local0. "Query string of URI: [HTTP::uri] is [URI::query [HTTP::uri]]"
}

     

     

    • Jim_M's avatar
      Jim_M
      Icon for Cirrus rankCirrus
      Sep 12, 2022

      I suspect SNI is required.  I have applied a host header rewrite but that wasnt sufficient.

      Also, regardin the logging, does that irule log the client request? Or the request format as sent from F5 to backend?

      • P_Kueppers's avatar
        P_Kueppers
        Icon for MVP rankMVP
        Sep 12, 2022

        Okay I never used server-side sni before. Did you tried what AaronJB suggested? 

        The iRule logs the request form F5 to Backend.

        http_request = client to f5 and http_request_release = f5 to backend