Forum Discussion

Huw's avatar
Huw
Icon for Altostratus rankAltostratus
Jan 30, 2024

SSL Offload with HTTP/2.0

I need to configure SSL Offload with HTTP/2.0.

All the guidance I've read says we need to choose clientssl-secure as the client-ssl profile - but how does that work when you're terminating the TLS session? How do we configure a certificate on the client-side?

  • The following article does give instructions to use the clientssl-secure profile:
    https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.html

    However, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).

    Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2

     

    Configuring HTTP/2 Client-Side (SSL Offload)

    # Create HTTP/2 profile
    create ltm profile http2 HTTP2 defaults-from http2
    
    # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled)
    create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 }
    
    # Create child client-ssl profile (inherit from parent client-ssl profile)
    create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } }
    
    # Create pool
    create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR>
    
    # Create HTTP/2 virtual server
    create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME> 
  • The following article does give instructions to use the clientssl-secure profile:
    https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.html

    However, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).

    Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2

     

    Configuring HTTP/2 Client-Side (SSL Offload)

    # Create HTTP/2 profile
    create ltm profile http2 HTTP2 defaults-from http2
    
    # Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled)
    create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 }
    
    # Create child client-ssl profile (inherit from parent client-ssl profile)
    create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } }
    
    # Create pool
    create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR>
    
    # Create HTTP/2 virtual server
    create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME> 
  • Where have you read that you NEED to choose clientssl-secure? I quickly checked a few articles and don't see it.

  • Under the virtual server you should have a setting labeled "SSL Profile (Client)" which is where you would associate your SSL cert and key of choice to the virtual server in question. Please keep in mind that if you use the "clientssl-secure" it will use an F5 self-signed SSL certificate so end users will receive an error on their side about either the name not matching or that you are using an SSL certificate that isn't from a trusted certificate authority.

    • Huw's avatar
      Huw
      Icon for Altostratus rankAltostratus

      Thanks Paulius - that makes sense, but why does all the documentation refer to clientssl-secure? I can't think of an situation where that would be useful.

      Also - do I need to do anything differently on the client SSL profile than I would have done using HTTP/1.1?