Forum Discussion

ramesh_110176's avatar
ramesh_110176
Icon for Nimbostratus rankNimbostratus
Jun 01, 2009

iRule SSL passthrough

Hi

 

 

I would like incoming SSL connection to terminate on the webserver, instead of the LTM.

 

 

I have the below irule:

 

 

when HTTP_REQUEST {

 

SSL::disable

 

 

}

 

when SERVER_CONNECTED {

 

SSL::disable

 

}

 

 

I have added to the VIP the clientssl and serverssl defualt profiles.

 

 

I am not sure if the above is correct.

 

 

6 Replies

  • You don't actually need an iRule to do this - simply assign a tcp profile (no HTTP, no SSL client/server, etc.) and pass the SSL traffic back to the servers at layer 4. Note that you'll give up any intelligent management of the traffic...

     

     

    -Matt
  • Don't specify an HTTP profile (or any SSL profiles) for SSL pass through: since the stream will be encrypted the device won't be able to go above layer 4, so you're stuck with a very basic setup. An HTTP profile won't apply here.

     

     

    -Matt
  • Hi

     

     

    Thanks, I think this is where I was going wrong, I had an http profile added, which is just doing a re-direct if the servers fail. Once I removed this it is working.
  • I am trying to get my godaddy cert to work on our bigip but am getting errors.

     

    For instance, when I run the following command behind the firewall to our nginx app server it works perfectly

     

    openssl s_client -connect g1-stage.ngmoco.com:443 -state -debug

     

    However, then I point the same command to the external BigIP URL it craps out.

     

    24209:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:

     

    with that error when I have the http/ssl profiles disabled--this would mean it should do a pass through but is apparently failing somewhere. If I turn the SSL client/server profiles back on it fails with a handshake error. Does anyone know where there are details virtual server setup instructions for either dealing with SSL on the F5 or passing it straight through. Nothing I have read here is working for me.

     

    Jan
  • Hi Jan,

     

     

    If you want to pass the SSL through, then you can configure a standard TCP virtual server without an HTTP profile. Typically, the virtual server and the pool member(s) should be configured on port 443.

     

     

    If you want to decrypt the SSL, you need to import the cert and key, create a custom client SSL profile and add it to a standard TCP virtual server. Typically, the virtual server should be configured on port 443 and the pool member(s) should be configured on port 80.

     

     

    If you try one of these options and it doesn't work, try posting your virtual server and profile configuration using 'b virtual VIRTUAL_NAME list' and 'b profile clientssl CLIENTSSL_PROFILE_NAME list'.

     

     

    Aaron