ssl offloading
12 TopicsSSL off-loading and secure WebSocket
Hi, We have a Big-IP load balancer, and we are planning to publish a web application that uses secure WebSockets (WSS). We are a little bit concerned about how the load balancer is going to handle this situation, because the SSL offloading. Is there anything special we have to configure or taken care off? Clients will send an HTTPS request with a WebSocket handshake, that includes the HTTP headers "Upgrade:websocket" and "Connection:Upgrade". Will the load balancer populate those headers to the web server? Will the load balancer understand that those connections are persistent and non-HTTP? Thanks.1.2KViews0likes8CommentsDoes using default clientssl profile disable SSL offload for the VIP?
I have a VIP that is using client ssl profile with default (localhost) certificate. my pool members for this VIP have the Certificate for this URL. I see the certificate when i access the VIP. I believe that i should receive a certificate error if SSL offloading is enabled on F5 but i dont see the error. Why is that?439Views0likes4CommentsHTTP_Profile breaking application that relies on Host_header
We are trying to migrate a Web Application from old ACE Load Balancer to F5. The nodes serving the application apply style sheets to the page based on the HTTP Host Header that is received in the GET request. Depending on the FQDN that is called from the browser the application applies a particular style sheet or another. This is currently working as expected in a really old Cisco ACE Load Balancer that does not do any inspection at the HTTP layer other than using SSL. The only way for it to work in the F5 is by removing the HTTP profile so that HTTP inspection does not happen. However, we cannot remove the http_profile because we need cookie persistence and also SSL encryption which is impossible to use without the http_profile. These are my questions: Is there a way to do SSL offloading and cookie persistence in the F5 without using and HTTP profile so that the F5 passes the GET seamlessly without looking at it at all? If there is no way, what you think it could be the cause of the issue here? I know is a very difficult question to answer without looking at more details but general ideas will be appreciated as I am out of ideas right now in how to make this work and the coders do not really want to make any changes to the application to provide me with multiple URIs so that the F5 makes the decision based on that.324Views0likes1CommentSSL TPS Limits
Hello All, We've been performing load testing for an application that is going to be deployed in the near future and during that load testing I noticed that our 8950 LTM going over the base license 500 tps for SSL, typically it would drop back down below the threshold pretty quickly never remaining above 500 for more than a second or so. After reviewing SOL6475: Overview of SSL TPS licensing limits it sounds like it might be best to upgrade the SSL license so that SSL connections aren't dropped? Just wanted to get other members experience with this. Thanks, Brian482Views0likes5CommentsPossibility of the Dynamic hostname in the SNI field?
Hello Guys, Can somebody please help me to know if I can have a dynamic host address in the serverssl profile with which I can enable the SNI on it. SO in short I have a requirement in which the hostname will be changing (****.example.com) all the time but it needs to be there in the SNI field. As far as I know, we can have a static entry in its filed so not sure if the dynamic can be placed in it or not. Really appreciate your time and help. Thanks and regards, R424Views0likes3CommentsSHA-2 issues in client SSL profile
Hello, I am into an issue where I apply SHA-2 certificate in the client profile the SSL session doesn't complete and webpage doesn't open. But it works fine with SHA-1 certificate. We are running 11.4 software version, I believe it is supporting sha-2 cipher. This might be a browser compatibility issue. Has someone faced similar problem before ? As per NIST regulations: For SSL Certificates expiring before December 31, 2016, you can still use SHA-1 to generate your SSL Certificate. However, when ordering or renewing any SSL Certificate that expires after December 31, 2016, SHA-2 is automatically selected by default. Regards, Akhtar463Views0likes4CommentsSSL offloading with SNI - API possibilities
Hello, We are considering F5 LTM. Particularly we are looking for following use cases: We need to provision virtual server(s) with SSL offloading and multiple SSL certificates assigned to one virtual server. So I need to be able to do following tasks via F5 REST API: upload SSL certificates delete SSL certificates create virtual servers edit virtual servers delete virtual servers (re)assign SSL certificates to particular virtual servers If it can be confirmed that it's possible it would be great. Thx.254Views0likes1Commentx-forwarded-proto + F5 + Drupal issues
my client has setup F5 and doing ssl offloading. I'm using drupal application on linux RedHat. network team has set the x-forwarded-proto header on F5 device. I've added RequestHeader add X-Forwarded-Proto https in my httpd.conf file and in settings.php (of drupal) i've added below when a request is made using https:// to load balancer it is routing the request to app server and everything loads just fine, however if the request is just http:// to load balancer then my app server is converting all references to resources (images/ css/ scripts) as https:// when the request is handed over to app server, will it carry or expected to carry the x-forwarded-proto in headers received by app server? I'm confused on what to do, where to fix.515Views0likes4CommentsIIS Web App Redirects Client to Port 80 from 443
Hey All, I am attempting to do SSL offloading via the F5 for a web app that runs off of IIS. The SSL portion is configured and functioning, when you hit the login page via https://www.myapp.com you get the login page but after entering your credentials to login the web app redirects the client to port 80. I put an 80 to 443 redirect via HTTP Class on the port 80 VIP but it just redirects you to the login page after entering your credentials. Shouldn't the F5 proxy that connection back to the client through the load balancer from 80 to 443? Brian322Views0likes2Comments