Best practice for HTTP and HTTPS backend

Hi, is it necessarry to run SSL till the backend? If not, I recommend to terminate it at the bigip and use http between bigip and backend. It has a positiv performance impact for your backend server.

But I never heard, that you can run http and https on the same port. Normal setup is 1 VS for http with pool for http traffic and 1 VS for https with pool for https traffic. i.e.

--> (HTTP) bigip:80 (VS1) --> (HTTP) --> backend:80 (Pool1)
--> (HTTPS) bigip:443 (VS2) --> (HTTPS) --> backend:8443 (Pool2)

or

--> (HTTP) bigip:80 (VS1) --> (HTTP) --> backend:80 (Pool1)
--> (HTTPS) bigip:443 (VS2) --> (HTTP) --> backend:8443 (Pool2)

I recommend the second example. It is the best for troubleshooting and network management. But if you need full security (ssl) till the end, it is the first example.

Dan - are you offloading SSL on the virtual server and then sending the traffic from the f5 to the web server over HTTP? If so then this is fine - you could even use the same pool on the 443 VS. Then, F5 is doing the SSL work (which it's great at) and this means the server doesn't have to. Internally you may not need the traffic to be re-encrypted. This would be a local decision for you. I've seen it both ways i.e. we've also re-encrypted the internal traffic.

If you wanted to re-encrypt the traffic (using a Server SSL profile) then I don't believe you can use the same backend port (8081), you'd have to setup a new port on the server to accept SSL.

Hope this answers your question.

N

We are offloading SSL on the VS and then sending the traffic to the servers on port 8081. We don't need SSL all the way through so it looks like we are ok to use the same backend port 8081 for both the port 80 VS and 443 VS since we are not re-encrypting the traffic. Thank you for the input!

It's fine to use the same pool for both HTTP and HTTPS virtual servers in this type of situation, so long as the backend doesn't need to distinguish between users accessing over SSL from those coming in plain text. (Though inserting a header can rectify that as well)

Personally, I always like to use a separate pool for each VS. While it increases the size of the config administration, what it does give you is individual statistics which is a big bonus when troubleshooting.

As others have said you can use the same pool but as macro_octavian said I'd go with a unique pool even if the IP's and ports are the same. Having the statistics and the ability to manipulate them independently may prove valuable in the future. Usually at 02:00 AM :)

Thanks again for the input. I just emailed the app owners to see if changing the port is a viable option. I agree it would make troubleshooting much better in the future if they were on different back end ports.

I have a problem which has big same above situation. --> (HTTPs) bigip:443 (VS1) --> (HTTP) --> backend:80 (Pool1)

But it did not work. Anyone can tell me how to configure to resole this issue Thanks in advance

1. What is status of pool?
2. Are you able to telnet/curl to back end server from lb CLI?
3. Try to enable SANAT automap in vip.. hope issue will solved... Else take tcpdump.