Forum Discussion

Lukes's avatar
Lukes
Icon for Altostratus rankAltostratus
Jun 17, 2020

configure port 443 to use ssl that is installed on Apache or Caddy server

Hi,

Trying to open port 443 (https) without offloading ssl cert. If I dont setup any profile the BigIP does not forward traffic to my server. If I setup only server side SSL profile without any certificate, it forwards, but there is not information about requested host.

 

I cannot find any information how to do it properly.

 

Thank you for help

Luke

7 Replies

  • Thank you Mayur for help. I finally fixed it by  enabling Address Translation and Port Translation and setting Source Address Translation to AutoMap. Just two checkboxes fixed all issues. Now my Caddyserver v2 aoutoconfigure ssl and runs website without problems. Love it.

  • Hello   As you are trying to skip ssl offloading on F5 and let server handle SSL handshakes, do not configure http profile, client and Server side SSL profiles on the Virtual Server. In this config, client will do ssl handshakes with actual web-server.

     

    Just check settings, if SNAT is required to be enabled. If web-server gateway is not F5, you need to enable SNAT option otherwise it will cause asymmetric routing issue.

     

    Hope it helps!

    Mayur

  • Hi Mayur,

     

    I tried that options, and it still does not work. I tried the simplest option which was

    the pool for that virtual server has one member 192.168.1.199 with the Service Port set to 0 (I selected *)

     

    I also tried exactly what you said, which was not http profile, no ssl profile for client and server and selected SNAT

     

    Any ideas? How to debug this stuff?

  • Now check for Route on F5 for Web-Server IP i.e. 192.168.1.199. Check if proper route is available. This will also cause issues.

     

    Mayur

  • When I ssh to F5 box I can do tracerout on 192.168.1.199 and it works. The Rout that I have on BigIP is only default on which is the gateway type for our public ip.

     

    I have almost 100 Virtual Serves configured and everything works, however I never tried to skip ssl offloading. I cannot believe that it is that complicated. Unless there is a bug in BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2

  • Also, for everybody else, I am trying to run Caddyserver v2. The idea is that the whole application is configured in Caddy and F5 BigIP is pure firewall and if it is possible load balance.

  • I run a few tests. I run openssl externally and internally, and the external one did not receive any response.

     

    Internal:

    openssl s_client -connect 192.168.1.199:443 -cipher 'DEFAULT:!ECDH'

    CONNECTED(00000003)

    3073623740:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 7 bytes and written 161 bytes

    ---

    New, (NONE), Cipher is (NONE)

    Secure Renegotiation IS NOT supported

    Compression: NONE

    Expansion: NONE

    ---

     

    External:

    openssl s_client -connect next-app.XXXX.com:443 -cipher 'DEFAULT:!ECDH'

    CONNECTED(00000003)

     

     

     

    write:errno=104

    ---

    no peer certificate available

    ---

    No client certificate CA names sent

    ---

    SSL handshake has read 0 bytes and written 292 bytes

    Verification: OK

    ---

    New, (NONE), Cipher is (NONE)

    Secure Renegotiation IS NOT supported

    Compression: NONE

    Expansion: NONE

    No ALPN negotiated

    Early data was not sent

    Verify return code: 0 (ok)

    ---