ssl - profile

I think answer to the first question is "yes" but i have another query now :

 

 

in ssl profile there is no option to insert x-forward-for header then how i am going to send actual client ip to the webserver ?

Hi Singh,

 

 

If you want to decrypt the client to VIP SSL, you would import the cert/key and create a client SSL profile. If you want to re-encrypt the SSL on the server side, you would use a server SSL profile. You would only need to import a cert/key for the server SSL profile if the server(s) require a client cert for SSL handshakes.

 

 

Once you add a client SSL profile, LTM will decrypt all SSL. Nothing at the HTTP layer is changed after the SSL decryption is done. LTM does not act as an HTTP proxy to tunnel SSL with the CONNECT method.

 

 

Once you add a client SSL profile to the VIP, you can also add an HTTP profile. You can enable the XFF option on the HTTP profile to have LTM insert the original client IP address in the XFF header.

 

 

Aaron

Thanks hoolio as always .. that raise another query in my mind:

 

 

Purpose of SNAT that i can think of are :

 

 

1. Your webserver cannot route directly to outside world so it send it back to bigip and big ip send it to outside world.

 

2. In case there is no SNAT then webserver will directly send it back to client rather then sending it via big ip. Not sure how this is not secure ??

1. Agree

 

2. Generally, it won't work if the server responds back to the client *not* through LTM. If the server responds back to the client from the server's IP address, the client will reject the response because the client established the connection via the virtual server IP address. The exception to this is if you configure the server to respond from the IP address of the virtual server (known as nPath in the F5 world).

 

 

Aaron