Forum Discussion

TD_388740's avatar
TD_388740
Icon for Nimbostratus rankNimbostratus
May 07, 2019

L7 https ACL with APM SSL VPN not working

Hi, I am building a POC for Client SSl VPN with F5 APM in AWS. Since we are using AWS I would like to use L7 ACLs instead of L4 since IP addresses keep changing in AWS.

 

I got it working for http but not for https.

 

In another post I found this: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html147209

 

You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web access management connections, with the following configuration notes. With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access. For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server.

 

Does that really means I will have to create an additional VS for every single URL I want to access via https and also need the key for that URL?

 

I hope not.

 

Thanks.

 

2 Replies

  • Do you want to use L7 ACL to filter URL inside a Network Access tunnel?

     

    If this what you expect, the problem is that HTTPS is not HTTP with secured content but HTTP inside a TLS tunnel...

     

    So until you don't terminate the TLS tunnel on the bigIP, you can't read the HTTP request, and so you can't read the URL...

     

    when you create a virtual server with clientSSL profile, it terminate the SSL allowing you to read the HTTP request.

     

  • TD's avatar
    TD
    Icon for Nimbostratus rankNimbostratus

    I solved it with the help of Henrik Gyllkrans. Thanks for your help Henrik.

    We are now sending a list of ports and fqdn in a TCL formatted list (saved in an LDAP attribute) to the f5 during login and use an irule to do nslookups for all fqdns and create ACLs based on this information. Works good so far but needs some more work on the error catching. The F5 is set up as caching DNS to have better responses on the nslookups.