Client Source IP - SSL pass through

if I add a client assl and server ssl can I access to Source IP address with X- Forward?

yes. why doesn't the application allow SSL offload? is it simply that the application requires SSL?

Im not aware of the application feature ..just they told me the tests was unsuccessful and they need ssl pass through. So the server ssl will do it for me thank you

clientssl and serverssl profiles perform SSL offload, which won't work for this application

You could, in theory, utilize Proxy SSL, assuming your security policy allows it. This requires that you have the same SSL cert and key on all the pool members and that cert/key is available to the F5 as well.

 

https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

 

With this configuration you can use an iRule to insert/modify X-Forwarded-For.

 

This is, for all intents and purposes, doing a man in the middle. It only works for RSA. If you require ECC it doesn't work.

 

but server=ssl again encrypt the traffic so the server receive the encrypted. so for server it isn't like ssl pass-through?

it depends on why the application would not work before when a clientssl profile was applied. a clientSSL profile will terminate the client's SSL session on the F5, and the serverSSL will re-encrypt back to the pool member. if coupled with an http profile with x-forwarded-for enabled, the backend device should be able to use the x-forwarded-for header as the client-ip

Thanks I will test it.