supporting a http2 sni website with f5 ltm?

Jim_M · ‎05-Sep-2022

I have a website which is working fine directly from browser to server. But not via f5 (v16.1.2).

The session uses https 443, tls1.2, http2.0, and the server relies on SNI. When via F5, the client browses https://app.external.com. F5 presents a wildcard cert for external.com which the browser is happy with. F5 forwards to backend https://server.internal.com. The node in the pool uses FQDN to resolve server.internal.com. I have tried using host header replacement via an irule to enforce host header being server.internal.com. I have tried creating a custom server side ssl profile which has the "server name" field set to server.internal.com.

Unfortunately the backend still does not see the traffic as being for https://server.internal.com in the same way that a direct browser session would behave. Is there irule logging i can apply to see exactly what request is being sent from F5 to the backend?

CA_Valli · ‎06-Sep-2022

Where are you seeing the problem - is it on the back-end SSL handshake? What is the serverSSL profile configuration? Does the server.internal.com server have a wildcard certificate as well?

AaronJB · ‎06-Sep-2022

I believe you're on the right lines by including the server name in the server SSL profile, but I think (even if there's only one profile) you have to enable the "serverssl-use-sni" feature on the Virtual Server: https://support.f5.com/csp/article/K39408450

If that isn't working then you could probably pull the SNI field out of the server side connection using iRules and the SSL::extensions command. @Kai_Wilke has an example of inserting the SNI header here (which is an alternative for versions earlier than 15.1.x or if you didn't want to use multiple SSL profiles and the serverssl-use-sni featurea) which could be used as the basis to build a rule to extract and log the header instead.

AubreyKingF5 · ‎06-Sep-2022

Not to rock any boats, but the distributed cloud prefers SNI. It's remarkably easy to get going.

Jim_M · ‎06-Sep-2022

Sorry for the ignorance; what is "the distributed cloud"?

AubreyKingF5 · ‎19-Sep-2022

F5's Distributed Cloud (or XC) is the next generation platform for ADC from F5. It's a VERY different methodology than BigIP. F5's "devices" for XC, or Customer Edge Nodes, are actually SDN routers, not ADC appliances.

P_Kueppers · ‎09-Sep-2022

So the problem is only that ur sending app.external.com to your node but you have this hostname not configured and your node only listen to server.internal.com? So a simple Hostname Header rewrite is enough? Then create a LTM Policy with when host is app.external.com rewrite to server.internal.com

iRule for logging? something like this

when HTTP_REQUEST_RELEASE {
   log local0. "Client [IP::client_addr] This is the HTTP Host [HTTP::host]"
   log local0. "Query string of URI: [HTTP::uri] is [URI::query [HTTP::uri]]"
}

Jim_M · ‎11-Sep-2022

I suspect SNI is required. I have applied a host header rewrite but that wasnt sufficient.

Also, regardin the logging, does that irule log the client request? Or the request format as sent from F5 to backend?

P_Kueppers · ‎12-Sep-2022

Okay I never used server-side sni before. Did you tried what @AaronJB suggested?

The iRule logs the request form F5 to Backend.

http_request = client to f5 and http_request_release = f5 to backend

DevCentral

supporting a http2 sni website with f5 ltm?

Khoros Kudos Award 2022