SSL enabling towards Internet

That's actually the default scenario. If you enable SSL on the client side, but then you simply configure the pool members to respond on whatever port they listen on (80, for example), it will decrypt the traffic and forward it unencrypted to the pool members. You would actually have to configure another SSL profile for the server side if you wanted it encrypted between the F5's and the pool members as well.

 

 

For the record, I use the same scenario, because the traffic passes through IDP's in the process, and I don't want it encrypted at that point.

The problem is that none of my pool members are the actual servers. They are just http proxies. So the server resides in the Internet and hence I cannot enable Server side SSL on the F5 towards my pool members.

 

 

In summary, I want the F5 to pool member unencrypted but the F5 to the actual web server (which is not in my pool) to be encrypted.

 

Hope that makes sense.

That actually isn't clear. Can you elaborate on exactly what you're trying to accomplish?

 

 

Are you saying that the BIG-IP - web server connection is through an HTTP proxy server. You want to decrypt the traffic to the HTTP proxy, but have the BIG-IP re-encrypt it somehow after the proxy to the final web server?

 

 

The only thing I can think of would be to use a VIP bounceback-like configuration where the client connects to VIP_external which points to the pool of HTTP proxy servers. The proxy servers reference VIP_webservers which points to the pool of web servers. You could then configure SSL on any of the legs of the connection path. Of course, this would create two separate sets of connections: the client to proxy server would be one pair and the proxy server to web servers.

 

 

[edit: actually, the configuration I just described matches what you have in your diagram (assuming you're able to change the proxy configuration to point to the VIP_webservers in order to access the web servers). I don't think a rule is necessary. I'd suggest contacting support and going over your requirements to come up with a solution.]

 

 

Aaron

Yes I want to decrypt the traffic to the HTTP proxy, but have the BIG-IP re-encrypt it somehow after the proxy to the final web server.

 

But the final web server is not in my pool. It could be any web server on the internet.

 

Is the purpose of this science project just to be able to inspect all of the HTTP traffic at the proxy? Why not just use a proxy that has the ability to decrypt SSL traffic, inspect it, and then re-encrypt it all by itself? (I think some vendors call that "SSL interception") What is this design aimed to accomplish that the other would not?

The purpose is to inspect both HTTP and HTTPS websites for adult content and redirect adult websites to a "Access not allowed" web page. The current HTTP proxies are incapable of handling encrypted traffic. So I need a design wherein the proxies process only http traffic and the F5 takes care of decryption and re-encryption.