Forum Discussion

Hummingbird_143's avatar
Hummingbird_143
Icon for Nimbostratus rankNimbostratus
Feb 07, 2014

HTTPS Redirect with no SSL termination on F5

Hi, I am trying to setup HTTPS redirect so all the traffic to https://www.example.com/ go to https://www.example.com/guest, but this HTTPS virtual server is not using F5 to do SSL offload, so F5 to backend server is HTTPS not HTTP.

 

I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.

 

I wonder if F5 can do this kind of redirect, with iRule or something else.

 

Thanks in advance!

 

APM
application delivery
availability
deployment
devops
https redirect
iRules
security

10 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 07, 2014

    I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.

    can you post the configuration?

     tmsh list ltm virtual virtual_server_name
 tmsh list ltm pool pool_name
    • Hummingbird_143's avatar
      Hummingbird_143
      Icon for Nimbostratus rankNimbostratus
      Feb 07, 2014
      Here is the config: tmsh list ltm pool airgroup-https-pool ltm pool airgroup-https-pool { members { 10.79.107.228:https { priority-group 1 session monitor-enabled } 10.68.118.138:https { priority-group 2 session monitor-enabled } } min-active-members 1 monitor https } tmsh list ltm virtual airgroup-https-vs ltm virtual airgroup-https-vs { destination 10.68.220.25:https ip-protocol tcp mask 255.255.255.255 pool airgroup-https-pool profiles { tcp { } } snat automap translate-address disabled } And I'll try the client/server profile as suggested by Nathan.
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Feb 07, 2014
      Hummingbird, You'll need a http profile too if you want to do redirection.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Feb 07, 2014

    I tried using F5 to decrypt the HTTPS traffic by loading an SSL client cert to this virtual server, so it can use iRule, and then encrypt it before it sends back to server, but couldn't get that to work.

    can you post the configuration?

     tmsh list ltm virtual virtual_server_name
 tmsh list ltm pool pool_name
    • Hummingbird_143's avatar
      Hummingbird_143
      Icon for Nimbostratus rankNimbostratus
      Feb 07, 2014
      Here is the config: tmsh list ltm pool airgroup-https-pool ltm pool airgroup-https-pool { members { 10.79.107.228:https { priority-group 1 session monitor-enabled } 10.68.118.138:https { priority-group 2 session monitor-enabled } } min-active-members 1 monitor https } tmsh list ltm virtual airgroup-https-vs ltm virtual airgroup-https-vs { destination 10.68.220.25:https ip-protocol tcp mask 255.255.255.255 pool airgroup-https-pool profiles { tcp { } } snat automap translate-address disabled } And I'll try the client/server profile as suggested by Nathan.
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Feb 07, 2014
      Hummingbird, You'll need a http profile too if you want to do redirection.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 07, 2014

    Hummingbird,

     

    Yes f5 can do this. Apply a Client SSL profile to the VS to decrypt/terminate the SSL traffic. Use the certificate for the hostname required i.e. www.example.com.

     

    If you then want to re-encrypt to the backend then you can simply apply the default serverssl Server SSL profile to the VS too.

     

    As for redirecting the uri then you can use an iRule, else a HTTP Class Profile (applied to the VS) or a Local Traffic Policy too (if using TMOS 11.4 and above).

     

    Hope this helps,

     

    N

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 07, 2014

    In short, if you do not decrypt the SSL at the proxy (F5), you cannot have the proxy issue an HTTP redirect. If you are willing to decrypt (and optionally re-encrypt) the data at the proxy, then you can absolutely do an HTTP redirect. Based on your question, I'd recommend revisiting the decrypt/re-encrypt option. That requires client and server SSL profile applied to the virtual server. Are you requiring client certificate at the web server, or any specific SSL requirements that may be causing issues in the re-encryption?

     

  • Hummingbird_143's avatar
    Hummingbird_143
    Icon for Nimbostratus rankNimbostratus
    Feb 07, 2014

    Thanks everyone for the help, and I got this working with both client and server SSL profile applied to the https virtual server.

     

    Thanks again, DevCentral is really a unique place comprised of super-smart users who know just about everything there is to know about F5 technology, most time I can find my answer from DevCentral instead of need to contact F5 support.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Feb 07, 2014
      good to hear, thanks for letting us know