Forum Discussion

mahmad2_222556's avatar
mahmad2_222556
Icon for Nimbostratus rankNimbostratus
May 30, 2018

Can F5 encrypt port 80 traffic on the backend

This is a unusual request where the app owner wants to receive traffic on port 80 VIP but wants to encrypt that traffic and send to backend pool members on port 443. He doesn't want client browser to get redirected to https. Is this scenario even possible?

 

2 Replies

  • It's possible. I think what you're looking for is server-ssl profile.

     

    Your VS would receive the connection on port 80 without TLS. The big-ip would then send the traffic to the pool member on port 443 using TLS.

     

    Take a look at this K14806: https://support.f5.com/csp/article/K14806

     

    Cheers! Rafael

     

  • It's doable but you're gonna have a bad time with your client compatibility. If you want the HTTP on port 80 to encrypt in addition to redirecting to 443 on the back end you'll have to SSL bridge the connection (client ssl profile & server ssl profile) and make sure any client connecting to port 80 can support HTTP upgrade headers/opportunistic encryption.

     

    There are working standards within http 1.1 and 2 that allow you to upgrade an unencrypted HTTP connection to use TLS and stay within http and port 80. However the client will have to support it and while the working group for HTTP/2 couldn't come to a conclusion to enforce TLS, vendors are still hard coding it in some applications.

     

    You'll get the app to work but potentially expose it to legacy Man-In-The-Middle attacks (starting unencrypted and asking to upgrade to TLS) and incompatible clients. No one is to stop Google from preventing encryption on port 80 in Chrome. We've seen them enforce non-standards and get them ratified after. Again... you can do whatever you want and it should work but you're at the mercy of our heavily weighted industry's acceptance of HTTPS on 443 and HTTP on 80 being unencrypted.

     

    If you get this working you may also run into future compatibility issues as new standards are ratified and adopted in browser clients. Any discussion on HTTP over 80 with upgrade encryption happened over 4 years ago and that's a long time in browser years.

     

    tl;dr - You can but you'll probably have compatibility issues with browsers.