Current flow is as belowClient -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).Certificates that do TLS offloading has F5 LTM DNS as CN/SAN.For a migration of my on premise application stack to cloud, I need to achieve below two cases.Client -> F5 LTM (SSL offloading for specific client IPs & Reencrypt TLS) -> New Stack cloud ApplicationClient -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).I have went through Bypass ssl offloading to certain IPs - DevCentral (f5.com) & SSL Offloading using iRules - DevCentral (f5.com). But not the exact case. Would wanted to confirm with experts here in thr forum please. Can someone kindly shed some light & a small example please?

Forum Discussion

maadavan

Altocumulus

Jun 05, 2023

Solved

SSL Offloading for specific IPs or range of IPs

Current flow is as below

Client -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).

Certificates that do TLS offloading has F5 LTM DNS as CN/SAN.

For a migration of my on premise application stack to cloud, I need to achieve below two cases.

Client -> F5 LTM (SSL offloading for specific client IPs & Reencrypt TLS) -> New Stack cloud Application

Client -> F5 LTM (SSL Proxying) -> On premise Application Servers (TLS Offloading).

I have went through Bypass ssl offloading to certain IPs - DevCentral (f5.com) & SSL Offloading using iRules - DevCentral (f5.com). But not the exact case. Would wanted to confirm with experts here in thr forum please. Can someone kindly shed some light & a small example please?

Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)

when CLIENT_ACCEPTED priority 500 {
    if {[class match -- [IP::client_addr] equals offload_ips]} {
        SSL::enable
        pool new_stack_cloud_application
    } else {
        SSL::disable
        pool on_premise_applications_servers
    }
}

Daniel_Wolf
Jun 06, 2023
JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthrough, and make use of K14800: Order of precedence for virtual server matching.
Order Destination Source Port
1 (host address) (network address) (port)
2 (host address) * (port)
For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).
KR
Daniel

11 Replies

JRahm
Admin
Jun 05, 2023
Something like this maybe (where offload_ips is a data-group with ip host and ip/mask as specified)

when CLIENT_ACCEPTED priority 500 { if {[class match -- [IP::client_addr] equals offload_ips]} { SSL::enable pool new_stack_cloud_application } else { SSL::disable pool on_premise_applications_servers } }
- Daniel_Wolf
  MVP
  Jun 06, 2023
  JRahm, I beg to differ and offer a different solution. Not every problem requires an iRule to be solved. 🙂
  I'd rather create two virtual servers, one with pool_A and SSL Bridging configured and another one with pool_B and SSL Passthrough, and make use of K14800: Order of precedence for virtual server matching.
  Order Destination Source Port
  1 (host address) (network address) (port)
  2 (host address) * (port)
  For the source you can use an Address List as described in this Manual article: Configuring Multiple IP Addresses and Service Ports for a Virtual Server. This would replace the datagroup for matching the source IP address(es).
  KR
  Daniel
  - JRahm
    Admin
    Jun 06, 2023
    Daniel_Wolf HOW DARE YOU BEG TO DIFFER!! 😎
    
    But seriously, 💯 on only using iRules where necessary. maadavan, this solution is definitely the way to go!
- maadavan
  Altocumulus
  Jun 05, 2023
  Thanks JRahm, this helps!
  - JRahm
    Admin
    Jun 05, 2023
    untested...make sure to test in a lab! if you have trouble I might be able to mock up tomorrow.