F5 as a proxy to encapsulate every HTTP session into ssl

Question

Hi,&nbsp;
&nbsp;We have a specific architecture and we want to use the F5 as a proxy device, a specific proxy device...&nbsp;
&nbsp;I explain : 
&nbsp;We have a lot of customers in Internet (several hundred, we can't create a specific virtual server for all that customers) and we want to use the SSL acceleration card on F5 to do some stuff about SSL encapsulation.  So we have several servers in front office connected to the F5 and those servers have to send some information on Internet in SSL (to our customers).&nbsp;
&nbsp;So the flow that we want to implement : &nbsp;
&nbsp;Server ----[HTTP]----&gt; F5 -----[SSL]---&gt; Customers (a lot of customers)&nbsp;&nbsp;
&nbsp;I think I have to use : &nbsp;
&nbsp;1. A virtual server : *  to catch every connection from my server in front office and in direction of Internet 
&nbsp;2. no pool 
&nbsp;3. Server SSL profile&nbsp;
&nbsp;A irule which creates a node with the destination IP of the packet ?&nbsp;
&nbsp;Do you think that it's a good idea and that it could be work ? Do you have another idea ? &nbsp;
&nbsp;Thank you for your help&nbsp;
&nbsp;Nicolas.

nitass · Answer

is it similar to this? 
  
 [root@Edelweiss:Active] config  b route list
route default inet {
   gateway 172.28.17.254
}
[root@Edelweiss:Active] config  b virtual bar list
virtual bar {
   translate address enable
   translate service enable
   snat automap
   destination any:any
   mask 0.0.0.0
   ip protocol tcp
   rules myrule
   profiles {
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@Edelweiss:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        node [IP::local_addr] 443
}
}

curl -I http://209.85.175.103/
HTTP/1.1 200 OK
Date: Wed, 07 Sep 2011 16:32:52 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

[root@Edelweiss:Active] config  tcpdump -nni 0.0 'tcp[13] = 2'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
09:32:30.438210 IP 10.10.72.30.38683 &gt; 209.85.175.103.80: S 1386918676:1386918676(0) win 5840 
09:32:30.440113 IP 172.28.17.70.38683 &gt; 209.85.175.103.443: S 3298992726:3298992726(0) win 4380

george_watkins_ · Answer

Hi Nicolas, 
&nbsp;  
&nbsp; The problem that you are going to run into is hostname mismatches. Your clients will receive errors unless you have a wildcard certificate for a domain and all the SSL sessions will be within that domain. It isn't possible to select an SSL profile based on hostname as the SSL session is negotiated prior to any hostname exchanges. However this is different from your diagram. If you only want to encrypt traffic on the server-side that is a much easier (albeit uncommon) scenario. Hope this helps, 
&nbsp;  
&nbsp; George

Forum Discussion

F5 as a proxy to encapsulate every HTTP session into ssl

2 Replies

Recent Discussions

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

cat and grep command for rst messages

iControl for Gtm wideip

Telemetry streaming to Elasticsearch

Portal Access to HTTPS resources slow

Related Content

HTTP Proxy Encapsulator v10/v11

Configuring A Generic Routing Encapsulation (GRE) Tunnel Using BIG-IP

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

SSL PROXY