Forum Discussion

skethi_183651's avatar
skethi_183651
Icon for Nimbostratus rankNimbostratus
Jan 21, 2015

How to Use Web Server for SSL instead of F5 via F5

Hello,

 

I am trying to use the Certs that are installed on the webserver instead of the certs on the F5. how can i achieve it.

 

14 Replies

  • are you looking to offload SSL on the F5 using the web-server's certificate, or are you looking to terminate SSL at the web-server instead of the F5?

     

    • skethi_183651's avatar
      skethi_183651
      Icon for Nimbostratus rankNimbostratus
      ok now i understood what SSL offloading mean. We are currently doing the SSL offloading, but we dont want to do that . we want to terminate the SSL at the Web Server instead of the F5. This is only a backup approach we are trying to use for temporarily.
    • shaggy_121467's avatar
      shaggy_121467
      Icon for Cumulonimbus rankCumulonimbus
      in the virtual server configuration of the application's virtual server configured for HTTPS, remove the clientSSL profile and serverSSL profile. When you remove a client SSL profile from a virtual server, the F5 loses the ability to examine HTTP-level data as F5 is now passing encrypted data through the F5 rather than terminating SSL and re-encrypting to pool members. Therefore, if you use any of the following features/profiles, they will also need to be removed - HTTP, oneconnect, cookie-based persistence, http-compression, stream profile, analytics profile, HTML profile, web acceleration profiles, iRules that use HTTP events/functions, LTM policy profiles that have HTTP-related statements, etc.
    • skethi_183651's avatar
      skethi_183651
      Icon for Nimbostratus rankNimbostratus
      Thanks, For the update but we are using iRules, we need iRules as that is what is doing the traffic routing and redirects. is there any other alternative? or what kind of iRule i can use.
  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus

    are you looking to offload SSL on the F5 using the web-server's certificate, or are you looking to terminate SSL at the web-server instead of the F5?

     

    • skethi_183651's avatar
      skethi_183651
      Icon for Nimbostratus rankNimbostratus
      ok now i understood what SSL offloading mean. We are currently doing the SSL offloading, but we dont want to do that . we want to terminate the SSL at the Web Server instead of the F5. This is only a backup approach we are trying to use for temporarily.
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      in the virtual server configuration of the application's virtual server configured for HTTPS, remove the clientSSL profile and serverSSL profile. When you remove a client SSL profile from a virtual server, the F5 loses the ability to examine HTTP-level data as F5 is now passing encrypted data through the F5 rather than terminating SSL and re-encrypting to pool members. Therefore, if you use any of the following features/profiles, they will also need to be removed - HTTP, oneconnect, cookie-based persistence, http-compression, stream profile, analytics profile, HTML profile, web acceleration profiles, iRules that use HTTP events/functions, LTM policy profiles that have HTTP-related statements, etc.
    • skethi_183651's avatar
      skethi_183651
      Icon for Nimbostratus rankNimbostratus
      Thanks, For the update but we are using iRules, we need iRules as that is what is doing the traffic routing and redirects. is there any other alternative? or what kind of iRule i can use.
  • I have also read something about Proxy SSL on the Server Profile and Client profile. will this work for my issue?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      As shaggy said, if you are using any Layer 7 events including HTTP, which requires an HTTP profile means you will require a client SSL profile. I don't think you can control the Layer 7 packet flow in proxy mode, I believe that is more for inspection for logging. If you are currently doing SSL offload, there's no problem with re-encrypting with a server SSL profile to still have an SSL handshake with the backend server.
    • skethi_183651's avatar
      skethi_183651
      Icon for Nimbostratus rankNimbostratus
      Thank you Brad and Shaggy, I understood what you are saying now. But how can i create a iRule without Http Events/functions. below is my current iRule which i use to redirect traffic to different pool, that is traffic redirect on the ports is key based on the URL how can i achieve the same functionality without using the HTTP Events/ Functions. What are the alternatives to below Events / Functions. when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "abc.com" } { HTTP::redirect "http://123.com/homepage[HTTP::uri]" } elseif {[string tolower [HTTP::host]] equals "123.com" } { pool QA-WEB-444_Pool; persist none; } else { persist none } }
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      I may have misspoken about not being able to use the SSL proxy feature though I have never actually tried it myself. Give it a whirl in a pre-prod environment and see if your irule still works. Make sure however that your clientSSL profile only includes ciphers that your backend server can negotiated. I do know that they have to be compatible to work. https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html & https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/14.html should get you started.
  • could you explain why you need to do the termination at the server?

     

    if it is because of security demands then there is no way to also be able to look into the traffic. that is the whole idea of SSL, you can't look in there.

     

    if the demand is just to talk with encryption on the server side you can apply a server side ssl profile and do that.

     

    SSL Proxy feature decrypt the traffic also and is compatible with iRules as can be read in this following SOL: https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

     

    if it doesn't work for you you probably haven't got it setup correctly.

     

    if you need help please explain your use case a bit better.