Forum Discussion

Quintious_74258's avatar
Quintious_74258
Icon for Nimbostratus rankNimbostratus
Nov 17, 2011

Encrypting HTTP traffic to SSL on LTM

We're about to leverage our LTM's for a partnership, and need to know how to take unencrypted traffic and encrypt it.

 

 

Basically what we're doing is:

 

 

-Traffic will come in from our partner via HTTPS. Big-IP will serve as the SSL termination point, convert the packets to HTTP, change the port number (to a pre-defined port, let's say 4000) that the server is listening on, and forward them off to the servers (which cannot read or interpret HTTPS packets). This entails setting up a client SSL thing.

 

-The servers will then respond with HTTP traffic over, again let's say port 4000 after they have processed the data, at which time the LTM will take the unecrypted data, re-encrypt it, and send it as HTTPS traffic via port 443 to our partner. This requires a server SSL configuration.

 

 

Now the twist:

 

 

-The servers will also need to proactively send HTTP traffic to our partner without first receiving a packet that the LTM has decrypted. We need the LTM to proactively encrypt that data that comes in as HTTP over...again, let's say 4000, and then send it off to our partner as HTTPS traffic over port 443. The servers can't do it, because the app can't do it.

 

 

I read somewhere that SNAT plays a role in this last twist, but I can't seem to find the forum post again. Is there a solution article out there that details how we can do this? Or has anyone done it, and can provide a blow-by-blow of what we need to do to make it work?

 

config
design

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2011
    Hi,

     

     

    For the partner (HTTPS) -> LTM -> (HTTP) app traffic you can create a virtual server on port 443 with a client SSL profile pointing to a pool of the server(s) on port 4000. The replies will follow the reverse path. If your server(s) have their default gateway set to the LTM floating self IP, you don't need SNAT. If that's not the case, then use SNAT on the virtual server.

     

     

    For the app (HTTP) -> LTM -> (HTTPS) partner traffic, you can create an HTTP virtual server with a server SSL profile pointing to a pool of the partner server(s) on port 443. You'll need to use SNAT on this virtual server. You'll also need a TMM route (or default route) to get to the partner network.

     

     

    Aaron
  • Quintious_74258's avatar
    Quintious_74258
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2011
    OK, so even if the servers are not responding to the partner's packets, and the packets aren't returning through an existing connection in BIG-IP, we still use a server ssl profile and it will automatically encrypt traffic that the LTM is seeing for the first time? I just want to make sure I'm understanding this correctly, because the LTM essentials course was stating that server ssl profiles were for "return" traffic - it didn't say anything about fresh traffic that's being initiated internally.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2011
    Replies are handled by the original virtual server the request went through. However, if you have both sets of hosts originating traffic, then you need two virtual servers.

     

     

    For the VS which handles your requests to the partner, you use a server SSL profile to encrypt the LTM to partner pool traffic. For the VS which handles the partner requests to you, you use a client SSL profile to decrypt the requests and re-encrypt the responses on the clientside of LTM.

     

     

    Aaron
  • Quintious_74258's avatar
    Quintious_74258
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2011
    Alright, thanks, we'll give it a shot.

     

     

    (And will probably still open a sev. 3 ticket to help walk us through it anyways, since we're paying for the premium support :P).
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 18, 2011
    just an example which Aaron said. i have to use snat and irule due to my lab environment.

    this is for https to http. 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   profiles {
      clientssl {
         clientside
      }
      tcp {}
   }
   vlans external enable
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:4000 {}
}

 curl -Ik https://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 18 Nov 2011 09:04:18 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8

[root@ve1023:Active] config  tcpdump -nni 0.0 port 443 or port 4000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
01:04:04.467014 IP 172.28.19.253.50827 > 172.28.19.79.443: S 4250042541:4250042541(0) win 5840 
01:04:04.467072 IP 172.28.19.79.443 > 172.28.19.253.50827: S 3878453677:3878453677(0) ack 4250042542 win 4380 
01:04:04.468913 IP 172.28.19.253.50827 > 172.28.19.79.443: . ack 1 win 46 
01:04:04.477800 IP 172.28.19.253.50827 > 172.28.19.79.443: P 1:106(105) ack 1 win 46 
01:04:04.477837 IP 172.28.19.79.443 > 172.28.19.253.50827: P 1:793(792) ack 106 win 4380 
01:04:04.480082 IP 172.28.19.253.50827 > 172.28.19.79.443: . ack 793 win 58 
01:04:04.480095 IP 172.28.19.253.50827 > 172.28.19.79.443: P 106:292(186) ack 793 win 58 
01:04:04.484510 IP 200.200.200.10.50827 > 200.200.200.101.4000: S 2032949847:2032949847(0) win 4380 
01:04:04.484517 IP 172.28.19.79.443 > 172.28.19.253.50827: P 793:840(47) ack 292 win 4485 
01:04:04.485823 IP 200.200.200.101.4000 > 200.200.200.10.50827: S 3932073000:3932073000(0) ack 2032949848 win 5792 
01:04:04.485834 IP 200.200.200.10.50827 > 200.200.200.101.4000: . ack 1 win 4380 
01:04:04.486872 IP 172.28.19.253.50827 > 172.28.19.79.443: P 292:472(180) ack 840 win 58 
01:04:04.486893 IP 200.200.200.10.50827 > 200.200.200.101.4000: P 1:156(155) ack 1 win 4380 
01:04:04.487832 IP 200.200.200.101.4000 > 200.200.200.10.50827: . ack 156 win 54 
01:04:04.489095 IP 200.200.200.101.4000 > 200.200.200.10.50827: P 1:263(262) ack 156 win 54 
01:04:04.489116 IP 172.28.19.79.443 > 172.28.19.253.50827: P 840:1127(287) ack 472 win 4851 
01:04:04.489119 IP 200.200.200.101.4000 > 200.200.200.10.50827: F 263:263(0) ack 156 win 54 
01:04:04.489126 IP 200.200.200.10.50827 > 200.200.200.101.4000: . ack 264 win 4642 
01:04:04.489131 IP 172.28.19.79.443 > 172.28.19.253.50827: F 1127:1127(0) ack 472 win 4851 
01:04:04.493034 IP 172.28.19.253.50827 > 172.28.19.79.443: P 472:499(27) ack 1128 win 71 
01:04:04.493048 IP 172.28.19.253.50827 > 172.28.19.79.443: F 499:499(0) ack 1128 win 71 
01:04:04.493058 IP 172.28.19.79.443 > 172.28.19.253.50827: . ack 500 win 4878 
01:04:04.493067 IP 200.200.200.10.50827 > 200.200.200.101.4000: F 156:156(0) ack 264 win 4642 
01:04:04.493889 IP 200.200.200.101.4000 > 200.200.200.10.50827: . ack 157 win 54
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 18, 2011
    this is for http to https. 

    [root@ve1023:Active] config  b virtual bar2 list
virtual bar2 {
   snat automap
   pool foo2
   destination 200.200.200.79:4000
   ip protocol 6
   rules myrule2
   profiles {
      http {}
      serverssl {
         serverside
      }
      tcp {}
   }
   vlans internal enable
}
[root@ve1023:Active] config  b pool foo2 list
pool foo2 {
   members 74.125.235.50:443 {}
}
[root@ve1023:Active] config  b rule myrule2 list
rule myrule2 {
   when HTTP_REQUEST {
        HTTP::header replace Host "www.google.com"
}
}

 curl -I http://200.200.200.79:4000
HTTP/1.1 200 OK
Date: Fri, 18 Nov 2011 09:02:39 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=4ef4ba14c2189eec:FF=0:TM=1321606959:LM=1321606959:S=hTpVLYxefmsAEtSk; expires=Sun, 17-Nov-2013 09:02:39 GMT; path=/; domain=.google.com
Set-Cookie: NID=53=t3p09w0aYLbn2wOZIOZOnypE889mOydciWSDfW9KacQee-sNIPmJlxx6jH0Sm-bD-Um2TUxZm12xM8nlAANVrZXb117QEE-uKgQW2mzY4jcCgIVly_xhfdbvr5sdOpWJ; expires=Sat, 19-May-2012 09:02:39 GMT; path=/; domain=.google.com; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked

[root@ve1023:Active] config  tcpdump -nni 0.0 port 4000 or port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
01:06:52.264065 IP 200.200.200.101.53947 > 200.200.200.79.4000: S 2974964524:2974964524(0) win 5840 
01:06:52.264127 IP 200.200.200.79.4000 > 200.200.200.101.53947: S 3360020780:3360020780(0) ack 2974964525 win 4380 
01:06:52.264879 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 1 win 46 
01:06:52.264910 IP 200.200.200.101.53947 > 200.200.200.79.4000: P 1:163(162) ack 1 win 46 
01:06:52.265061 IP 172.28.19.80.53947 > 74.125.235.50.443: S 723819090:723819090(0) win 4380 
01:06:52.272054 IP 74.125.235.50.443 > 172.28.19.80.53947: S 2091216247:2091216247(0) ack 723819091 win 5672 
01:06:52.272076 IP 172.28.19.80.53947 > 74.125.235.50.443: . ack 1 win 4380 
01:06:52.272124 IP 172.28.19.80.53947 > 74.125.235.50.443: P 1:95(94) ack 1 win 4380 
01:06:52.277870 IP 74.125.235.50.443 > 172.28.19.80.53947: . ack 95 win 89 
01:06:52.282934 IP 74.125.235.50.443 > 172.28.19.80.53947: P 1:134(133) ack 95 win 89 
01:06:52.283029 IP 172.28.19.80.53947 > 74.125.235.50.443: P 95:142(47) ack 134 win 4380 
01:06:52.283040 IP 172.28.19.80.53947 > 74.125.235.50.443: P 142:324(182) ack 134 win 4513 
01:06:52.290825 IP 74.125.235.50.443 > 172.28.19.80.53947: . ack 324 win 106 
01:06:52.314970 IP 74.125.235.50.443 > 172.28.19.80.53947: P 134:794(660) ack 324 win 106 
01:06:52.315001 IP 200.200.200.79.4000 > 200.200.200.101.53947: P 1:636(635) ack 163 win 4542 
01:06:52.315979 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 636 win 56 
01:06:52.315990 IP 200.200.200.101.53947 > 200.200.200.79.4000: F 163:163(0) ack 636 win 56 
01:06:52.315997 IP 200.200.200.79.4000 > 200.200.200.101.53947: . ack 164 win 4542 
01:06:52.316002 IP 172.28.19.80.53947 > 74.125.235.50.443: F 324:324(0) ack 794 win 5173 
01:06:52.322060 IP 74.125.235.50.443 > 172.28.19.80.53947: F 794:794(0) ack 325 win 106 
01:06:52.322075 IP 172.28.19.80.53947 > 74.125.235.50.443: . ack 795 win 5173 
01:06:52.322078 IP 200.200.200.79.4000 > 200.200.200.101.53947: F 636:636(0) ack 164 win 4542 
01:06:52.322975 IP 200.200.200.101.53947 > 200.200.200.79.4000: . ack 637 win 56