Forum Discussion

Vishakh_Krishna's avatar
Vishakh_Krishna
Icon for Nimbostratus rankNimbostratus
Nov 04, 2014

Plain HTTPS Server with no SSL termination

Dear Team, I need to create a HTTPS virtual server with no SSL offloading. (Certificate is installed directly on OBIE Server.).Pool member node listens to 9804 with certificate installed on it (HTTPS needs to be enabled with the URL: https://obie.xyz.ae:9804/analytics). I am able to access the physical IP of the obie server (10.10.41.19 which resolves to obie.xyz.ae). However I am unable to access the virtual IP configured on F5 in the same way. Please guide me the proper steps inorder to achieve the same (is here any SSL client or server profile required on Virtual Server ?) Also requirement is users need to access the same URL without mentioning the port: ie https://obie.xyz.ae (9804/analytics) not required.

 

Hoping the earliest response from you guys. Please do the needful.

 

Thanks, Vish

 

APM
application delivery
deployment
design
devops
iRules
LTM
security

10 Replies

Sort By
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 04, 2014

    However I am unable to access the virtual IP configured on F5 in the same way.

    can you post the configuration?

     tmsh list ltm virtual (name)
 tmsh list ltm pool (name)

    is here any SSL client or server profile required on Virtual Server ?

    no

    there is some information here. hope it is helpful.

    sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors

    https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015
    • Vishakh_Krishna's avatar
      Vishakh_Krishna
      Icon for Nimbostratus rankNimbostratus
      Nov 04, 2014
      (tmos.ltm) list virtual HQ-OBI-P-2-https-VS ltm virtual HQ-OBI-P-2-https-VS { description HQ-OBI-P-2 destination 10.10.47.120:https ip-protocol tcp mask 255.255.255.255 pool HQ-OBI-P-2-Pool profiles { HQ-OBI-P-2-https { context serverside } star.tdic.ae { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } ======================= ltm pool HQ-OBI-P-2-Pool { load-balancing-mode least-connections-member members { 10.10.41.19:9804 { address 10.10.41.19 session monitor-enabled state up } } monitor TCP-9804 } =========================== ltm monitor tcp TCP-9804 { defaults-from tcp destination *:* interval 5 time-until-up 0 timeout 16 } ================================
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 04, 2014

    However I am unable to access the virtual IP configured on F5 in the same way.

    can you post the configuration?

     tmsh list ltm virtual (name)
 tmsh list ltm pool (name)

    is here any SSL client or server profile required on Virtual Server ?

    no

    there is some information here. hope it is helpful.

    sol12015: Configuration requirements for SSL virtual servers, profiles, pools, and monitors

    https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12015
    • Vishakh_Krishna's avatar
      Vishakh_Krishna
      Icon for Nimbostratus rankNimbostratus
      Nov 04, 2014
      (tmos.ltm) list virtual HQ-OBI-P-2-https-VS ltm virtual HQ-OBI-P-2-https-VS { description HQ-OBI-P-2 destination 10.10.47.120:https ip-protocol tcp mask 255.255.255.255 pool HQ-OBI-P-2-Pool profiles { HQ-OBI-P-2-https { context serverside } star.tdic.ae { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } ======================= ltm pool HQ-OBI-P-2-Pool { load-balancing-mode least-connections-member members { 10.10.41.19:9804 { address 10.10.41.19 session monitor-enabled state up } } monitor TCP-9804 } =========================== ltm monitor tcp TCP-9804 { defaults-from tcp destination *:* interval 5 time-until-up 0 timeout 16 } ================================
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 04, 2014

    can you try to remove HQ-OBI-P-2-https and star.tdic.ae profiles?

     

  • Vishakh_Krishna's avatar
    Vishakh_Krishna
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2014

    Removed both the SSL profiles on the virtual server. Still i am not able to access the server through virtual ip. 10.10.41.19 is the physical server and SSL certificate is installed on it. and the server listens on port 9804 using the URL https://10.10.41.19.xyz.ae:9804/analytics. But when i use the virtual ip https://10.10.47.120.xyz.ae:9804/analytics, It doesn't work which is one of the requirement. Second requirement is i need to rewrite the URL https://10.10.47.120.xyz.ae:9804/analytics to https://10.10.47.120. Please do the needful.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 04, 2014

    But when i use the virtual ip https://10.10.47.120.xyz.ae:9804/analytics, It doesn't work which is one of the requirement.

     

    you used the wrong url. it should be https://10.10.47.120/analytics

     

    Second requirement is i need to rewrite the URL https://10.10.47.120.xyz.ae:9804/analytics to https://10.10.47.120.

     

    without ssl offloading, you cannot rewrite uri.

     

  • Vishakh_Krishna's avatar
    Vishakh_Krishna
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2014

    You are right. When i tried using https://10.10.47.120/analytics, It works without any SSL profiles. Thanks a million for your support. However I have a query if i want to access the same URL https://10.10.47.120 without using /analytics, What are the configuration changes that needs to be done ?

     

    Thanks, Vish

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Nov 04, 2014
      you have to do ssl offloading (i.e. decrypt and re-encrypt traffic). then you can rewrite uri (i.e. add /analytics using HTTP::uri). HTTP::uri https://clouddocs.f5.com/api/irules/HTTP__uri.html