Load balance messaging protocols like AMQP, MQTT, STOMP over TLS for ActiveMQ Artemis
Messaging protocols like AMQP, MQT, STOMP, OpenWire, HornetQ can all be load balanced trough the F5. Making the setup I encountered some issues. There is some specific configuration that needs to be apllied, which i will try to clearify. The setup: devices sending AMQP messages trough the F5 to a backend server over TLS. The F5 is configured as full proxy. The Virtual Server was pretty basic config. Standard Virtuals server, TCP, HTTP, SSL client & server profiles. Also websocket auto SNAT automap enabled. I selected the virtual server which had the correct certificate in the Clientssl profile. The client initiating the request has our root /& issuing CA trusted in their truststore. Using a tcpdump and wireshark, I saw the corect TLS handshakes, Application data over TLS is being send, but not much data and due an error *** the client sends a TCP reset. The F5 will only apply a profile, when that specific data is being detected (trigger). So yeah, there are TCP profiles to handle TCP and i have an SSL Client & server profile to handle TLS. Strangly it doesn't work. In the capture i took on the F5, wireshark sees the TLS application data as http-over-tls. hmm.. what if the F5 did the same? Then it would apply the http profile on the AMQP data, and that might screw things up. Disable the HTTP processing for that hostname, bingo. The next problem: the hostname, part off [HTTP::host] is not our event scopes. It is only activated when http profile is triggered. So the solution is to get the hostname, in this case the SNI (server name indication) from the TLS Client hello in eventCLIENTSSL_HANDSHAKE. And check the SNI value to disable http processing. caveat: this will only work for TLS 1.2. When TLS 1.3 is used with encrypted SNI, another solution is needed. Solution in short: it should work using a seperate virtual server with only TCP, SSL client & server profiles and have a load balancing default pool. If your setup is more complex and are reusing an existing VS, do the following. I use a combination of an iRule and datagrouplists to extract the SNI, disable HTTP processing and send it to the right pool. For a current setup the SNI is also inserted server-side. I think this step is optional but i'll paste the code too. datagrouplist dgl_vs01_sni_targetpool: messaging.company.local and value "the targetpool" datagrouplist dgl_vs01_disable_http_procesin: messaging.company.local without a value when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 0] } { set dgl "dgl_vs01_sni_targetpool" set dgl_nohttp "dgl_vs01_disable_http_processing" # read SNI value and place into variable sni_value binary scan [SSL::extensions -type 0] {@9A*} sni_value log local0. "sni value: [expr {[info exists sni_value] ? ${sni_value} : {not found} }]" #disable HTTP processing for AMQP, MQTT, STOMP, etc if { [class match $sni_value equals $dgl_nohttp] }{ HTTP::disable log local0. "HTTP Disabled for $sni_value" } if { [class match $sni_value equals $dgl] }{ set pool_target [class match -value [string tolower $sni_value] equals $dgl] pool $pool_target log local0. "pool chosen for $sni_value, pool $pool_target " } } } when SERVERSSL_CLIENTHELLO_SEND { #Inject SNI serverside if { [class match $sni_value equals $dgl] }{ SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value] log local0. "SNI inserted $sni_value" } } For those less comfterable with iRule, you can do SNI-based load balancing like thishttps://community.f5.com/t5/technical-articles/sni-routing-with-big-ip/ta-p/282018 but I'm not sure how to disable HTTP processing with a policy in the ssl client hello. If someone knows please post below, thx. Now you are all set! Good luck with your F5 adventures. Documentation used: https://clouddocs.f5.com/training/community/irules/html/class1/module1/iRuleEventsFlowHTTPS.html https://community.f5.com/t5/crowdsrc/serverside-sni-injection-irule/ta-p/286745 https://community.f5.com/t5/crowdsrc/extracting-the-sni-server-name/ta-p/288029 https://activemq.apache.org/components/artemis/documentation/1.5.1/protocols-interoperability.html
Multiple HTTPS sites on a single IP
I'm trying to host multiple HTTPS sites with different HTTP backends on a single IP address, following https://support.f5.com/csp/article/K13452 as much as possible. Version: BIG-IP 13.1.1 Build 0.0.4 Final I have imported my wildcard certificate and have configured the following: Client SSL profiles domain.com: No "Server Name" "Default SSL Profile for SNI" checked sub1.domain.com: Parent: "domain.com" Server Name: "sub1.domain.com" "Default SSL Profile for SNI" NOT checked sub2.domain.com Parent: "domain.com" Server Name: "sub2.domain.com" "Default SSL Profile for SNI" NOT checked Virtual Servers sub1 Destination 10.0.0.1 Service port: 443 HTTPS HTTP profile: http SSL Profile (Client): domain.com + sub1.domain.com Source Address Translation: Auto Map sub2 Destination 10.0.0.2 Service port: 443 HTTPS HTTP profile: http SSL Profile (Client): domain.com + sub2.domain.com Source Address Translation: Auto Map But as mentioned I only have a single IP address, but when I change the destination on VS for sub2 to "10.0.0.1" I'm presented with this error: 01070333:3: Virtual Server /Common/sub2 illegally shares destination address, source address, service port, ip-protocol, and vlan with Virtual Server /Common/sub1 I was under the impression that because I'm using multiple SSL profiles with specific Server Names it should be possible to host this on a single IP.
Client SSL profiles using SNI not able to use the subject alternative name
We have a clientssl profile using a *.domain.com wildcard SSL certificate. This profile is set as the default for SNI. We also have specific clientssl profiles using the application specific SSL certificate. The application specific certs have their subject as www.application.com with the subject alternative name with application.com. There may also be several other SAN listed depending on the web app. In testing everything works great when accessing the site via https://www.application.com. However when using https://application.com we receive a cert error and the *.domain.com wildcard SSL certificate is used. This is the same for any domain listed as a SAN. My main question is can SNI use subject alternative names? My testing indicates no, but I wanted to put this out to the group. Here is my sanitized config: ltm profile client-ssl domain.com_wildcard { app-service none cert domain.com_wildcard.crt chain ComodoCA.crt defaults-from clientssl key domain.com_wildcard.key sni-default true } ltm profile client-ssl prod-www_application_com { app-service none cert prod-www_application_com.crt chain prod-www_application_com.intermediate.ca.crt key prod-www_application_com.key } ltm virtual vs-x.x.x.x_443 { destination x.x.x.x:https ip-protocol tcp mask 255.255.255.255 pool site-x.x.x.x_443 profiles { http-x-forward { } domain.com_wildcard { context clientside } prod-www_application_com { context clientside } serverssl-insecure-compatible { context serverside } tcp { } websecurity { } } source 0.0.0.0/0 source-address-translation { pool snat_pool type snat } vs-index 2539 }SNI Implementation
My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on Active Directory. We want to move this behind the F5 to utilize ASM. When researching how to set up SNI within the F5, I read numerous sites (farther below with a comment or two). I've tried numerous combinations of SSL profiles on the client and server side. On the Client side, I tried having a default clientssl with blank server name section (as described in the K13452 link below) and two more clientssl profiles that have the server name section populated with the respective URLs. I also tried removing the default clientssl with black server name and just setting one of the other clientssl's as the default. On the server side, I tried mirroring the client ssl profiles. I tried my standard serverssl profile in hopes it would just pass the SNI field. No luck. The site never comes up. When I do packet captures on my computer and the F5 (I capture the incoming traffic to the VIP and outgoing traffic to the server in the pool), in the TLS Client hello, I see the SNI field when it leaves my computer and arrives at the VIP of the F5. But the packet capture to the server in the pool does NOT have that field in the Client Hello. I don't know what I'm doing wrong. SSL Profiles Part 7: Server Name Indication K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature How can I configure Server SSL Profiles to connect to different URLs on the same server? Using the iRule in the accepted answer section from the above article did not get the SNI field to show in the client hello packet to the server in the pool. I make the "hostname" in the iRule "$hostname" and the sites in quotes are the two URLs. The SSL profile is the name of the serverssl profile. Serverside SNI injection iRule In the comments of this article, someone links a bug for 13.0. But that doesn't seem to describe what I'm experiencing (I'm experiencing no server side SNI at all).TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, Rolf
2 SSL certificates on a VS
Hi Experts, I have recieved a requirement to configure 2 certificates on a single VS so whicheve URL is requested it issues the related cerificate. For example I have www.abc.com & www.abc.in and I have 2 certificates *.abc.com and www.abc.in Can this be achieved, if yes how.
SNI and Client certificate authentication
Hi LTM 11.4.0 VE I want a VS that listens to 443 and terminates TLS 1.0+ https traffic. It should have two Client SSL profiles (with different certificates and hostnames in the certificates for SNI to work of course), one default and the other should use SNI. They should afterwards be proxied to different pools. So far so good. The problem is that I want to have Client Certificate Authentication as well. Unfortunetaly the Client SSL profiles above should not accept certificates issued from the same CA-chain. (The client certificates do share the same rootCA though). The only way I can get F5 to swallow my two Client SSL profiles at the same time in my VS is to put a CA bundle containing both my CA-chains in "Trusted Certificate Authorities" on both Client SSL profiles. Unless I do this I get: 0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/vs_https_external. Putting the bundle in Trusted Certificate Authorities gives the unwanted effect that clients from one CA-chain can is authenticated sucessfully agains the other Client SSL profile and the opposite. As a side note, both type of client certificates will be checked against a common OCSP server. This all comes from a shortage of IP adresses. Do any of you F5 professors have any idea? Do I have to code/copy-paste a custom iRule to solve this?
