cancel
Showing results for 
Search instead for 
Did you mean: 

supporting a http2 sni website with f5 ltm?

Jim_M
Cirrus
Cirrus

I have a website which is working fine directly from browser to server. But not via f5 (v16.1.2).

The session uses https 443, tls1.2, http2.0, and the server relies on SNI. When via F5, the client browses https://app.external.com.  F5 presents a wildcard cert for external.com which the browser is happy with.  F5 forwards to backend https://server.internal.com.  The node in the pool uses FQDN to resolve server.internal.com. I have tried using host header replacement via an irule to enforce host header being server.internal.com. I have tried creating a custom server side ssl profile which has the "server name" field set to server.internal.com.

Unfortunately the backend still does not see the traffic as being for https://server.internal.com in the same way that a direct browser session would behave. Is there irule logging i can apply to see exactly what request is being sent from F5 to the backend?

8 REPLIES 8

CA_Valli
Cumulonimbus
Cumulonimbus

Where are you seeing the problem - is it on the back-end SSL handshake? What is the serverSSL profile configuration? Does the server.internal.com server have a wildcard certificate as well? 

 

AaronJB
F5 SIRT
F5 SIRT

I believe you're on the right lines by including the server name in the server SSL profile, but I think (even if there's only one profile) you have to enable the "serverssl-use-sni" feature on the Virtual Server: https://support.f5.com/csp/article/K39408450

If that isn't working then you could probably pull the SNI field out of the server side connection using iRules and the SSL::extensions command. @Kai_Wilke has an example of inserting the SNI header here (which is an alternative for versions earlier than 15.1.x or if you didn't want to use multiple SSL profiles and the serverssl-use-sni featurea) which could be used as the basis to build a rule to extract and log the header instead.

AubreyKingF5
Community Manager
Community Manager

Not to rock any boats, but the distributed cloud prefers SNI. It's remarkably easy to get going.

Jim_M
Cirrus
Cirrus

Sorry for the ignorance; what is "the distributed cloud"?

F5's Distributed Cloud (or XC) is the next generation platform for ADC from F5. It's a VERY different methodology than BigIP. F5's "devices" for XC, or Customer Edge Nodes, are actually SDN routers, not ADC appliances. 

P_Kueppers
Cirrus
Cirrus

So the problem is only that ur sending app.external.com to your node but you have this hostname not configured and your node only listen to server.internal.com? So a simple Hostname Header rewrite is enough? Then create a LTM Policy with when host is app.external.com rewrite to server.internal.com 

P_Kueppers_0-1662726774514.png

iRule for logging? something like this 

when HTTP_REQUEST_RELEASE {
   log local0. "Client [IP::client_addr] This is the HTTP Host [HTTP::host]"
   log local0. "Query string of URI: [HTTP::uri] is [URI::query [HTTP::uri]]"
}

 

 

I suspect SNI is required.  I have applied a host header rewrite but that wasnt sufficient.

Also, regardin the logging, does that irule log the client request? Or the request format as sent from F5 to backend?

Okay I never used server-side sni before. Did you tried what @AaronJB suggested? 

The iRule logs the request form F5 to Backend.

http_request = client to f5 and http_request_release = f5 to backend