Blackboard ssl-offload using x-forwarded-proto unsuccessful
We are trying to off-load SSL processing to our LTM for Blackboard Learn 9.1.201404.160205 and with the use of the header “X-Forwarded-Proto: https.” To paraphrase, Blackboard documentation states that when the header “X-Forwarded-Proto: https” is provided with an unencrypted session to Blackboard, Blackboard knows the SSL processing has been offloaded upstream and the session between Blackboard and the LTM continues unencrypted. Below is a crude attempt at representing the desired flow: USER -> F5 (dst Port 80) User <- F5 redirect client to use https (dst Port 443) USER -> F5 https (dst port 443) F5 -> (has header X-Forwarded-Proto: https inserted) -> Appserver (dst port 8081 http) F5 <- Appserver (src port 8081 http) USER <- F5 (src port 443 https) What we are experiencing is clients providing the X-Forwarded-Proto: https header connecting to the Blackboard application servers using http are being redirected to the https site of the server by the application server. With the VIP configured to connect to the pool using http and inserted header X-Forwarded-Proto: https, the application server redirects the client to https. The LTM passes this redirect to the user, user connects to https VIP, the VIP inserts X-Forwarded-Proto: https header and connects to application server http, the application server sends a redirect back to client/user,…. until user’s browser presents too many redirects message. F5 support provided an iRule to log header information sent to the application server. Below is the log viewed from the LTM CLI, “X-Forwarded-Proto: https” is being provided. Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:35:00 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:35:04 slot1/ocs-vip02 info tmm[10910]: Rule /Common/Header_logger : ============================================= Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Encoding: gzip, deflate, sdch Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : Accept-Language: en-US,en;q=0.8 Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-For: aa.bb.cc.dd Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : X-Forwarded-Proto: https Apr 1 15:41:05 slot1/ocs-vip02 info tmm7[10918]: Rule /Common/Header_logger : ============================================= Output from using cURL from the LTM CLI to connect to the Blackboard application server. The output shows the “X-Forwarded-Proto: https” header is being provided, the Blackboard application server is replying with redirect. [] config curl -v -H "X-Forwarded-Proto:https" -H "X-Forwarded-For: aa.bb.cc.dd" * About to connect() to ww.xx.yy.zz port 8081 (0) * Trying ww.xx.yy.zz... connected * Connected to ww.xx.yy.zz (ww.xx.yy.zz) port 8081 (0) GET /webapps/portal/healthCheck HTTP/1.1 User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Host: ww.xx.yy.zz:8081 Accept: / X-Forwarded-Proto:https X-Forwarded-For: aa.bb.cc.dd < HTTP/1.1 301 Moved Permanently < Server: Apache-Coyote/1.1 < Location: https://ww.xx.yy.zz/webapps/portal/healthCheck < Content-Length: 0 < Date: Wed, 01 Apr 2015 21:13:07 GMT < Connection: close < * Closing connection 0 [] config Output from using cURL from a windows PC to connect to the Blackboard application server. The output shows the “X-Forwarded-Proto: https” header is being provided, the Blackboard application server is replying with redirect. C:\curl_741_0_ssh2_ssl>curl --http1.1 -v -S - -k -H "X-Forwarded-Proto:https" -H "X-Forwarded-For: aa.bb.cc.dd" * Trying ww.xx.yy.zz... * Connected to ww.xx.yy.zz (ww.xx.yy.zz) port 8081 (0) GET /webapps/portal/healthCheck HTTP/1.1 User-Agent: curl/7.41.0 Host: ww.xx.yy.zz:8081 Accept: / X-Forwarded-Proto:https X-Forwarded-For: aa.bb.cc.dd < HTTP/1.1 301 Moved Permanently < Server: Apache-Coyote/1.1 < Location: https://ww.xx.yy.zz/webapps/portal/healthCheck < Content-Length: 0 < Date: Thu, 02 Apr 2015 15:21:32 GMT < Connection: close < * Closing connection 0 Are there any known successfully Blackboard/F5 configurations that take advantage of the F5 SSL offload with the use of the X-Forwarded-Proto header? What could be causing the application server to not accept the F5 VIP, F5 cURL (or windows desktop cURL) provided X-Forwarded-Proto header? Are there any other users experiencing this issue? If so, how is it being addressed? One work around is to encrypt the traffic user to VIP and VIP to application server, no ssl offload. Are there any possible solutions? Successfully configurations for both the LTM and windows/blackboard server are greatly appreciated.
BigIP - LTM: Blackboard Oct 2014 release/load balancer redirect error
Hello, We recently upgraded Blackboard to Oct 2014 (yes, it sounds old, but the way they do their patches its not old). Anyway, when we did that, they swapped to tomcat for web services instead of IIS. I also lost access to the 3 web servers through the load balancer. When you access the 3 web servers independent of the load balancer, they work fine. However, going through the load balancer, I get a "too many redirects" error. The virtual server is port 443, the web servers are set on tomcat to be port 8010. I've tried recreating the virtual server, the pools, everything, and cannot get it to work. I've tried setting the port back to match what IIS had at port 80, and no luck. Blackboard, of course, says everything is fine and they don't do anything with F5. Any suggestions would be super helpful, as we start school next month and need this back up before then. Thanks!