Forum Discussion

Godfrey_Bennet1's avatar
Godfrey_Bennet1
Icon for Nimbostratus rankNimbostratus
Aug 03, 2021

Troubleshooting an SSL OFFLOAD http application

Hi, apart from running ssldump, is there a way to troubleshoot a web service on the F5 which is setup with SSL Offload? Maybe there is an iRule which can dump all the HTTP details into a troublshooting log file? I would ideally like to be able to set the logging to happen only for a specified client IP address. My theory is that at the decrypted stage of the conversation, the F5 knows everything about the traffic so there must be an easy way to write all the http requests and responses into a file.

 

Thanks

2 Replies

  • Hi Godfrey,

     

    this KB article contains all the information you need in order to decrypt the clientside (and also the serverside) of a SSL connection. https://support.f5.com/csp/article/K12783074

     

    KR

    Daniel

  • If the SSL-encrypted content is already decrypted on the F5 system via SSL Offload (client-SSL profile applied to the virtual server), you can apply an HTTP-type profile to the virtual server and use an iRule (or perhaps even a Local Traffic Policy) that triggers on the HTTP_REQUEST event to log any and all parts of the HTTP payload you want to see for troubleshooting purposes. As for where to write these messages, one option would be to use a high-speed logging (HSL) publisher specifically designed to receive these messages. The example below logs the entire HTTP payload (not including HTTP headers) locally to /var/log/ltm at the debug level. Viewing of debug level messages can be controlled via the Configuration utility (GUI) or TMSH.

    when HTTP_REQUEST {
        # Change X.X.X.X to the IP address of your choice
        if { [IP::addr [IP::client_addr] equals "X.X.X.X"] } {
            log local0.debug "HTTP payload from [IP::client_addr] is [HTTP::payload]"
        }
    }

     For a nice example of logging HTTP request and response headers, see the article entitled Log HTTP Headers by hoolio.