Forum Discussion

cdeeds_144014's avatar
cdeeds_144014
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

Encrypt traffic only between F5 LTM and server(s), keep client side traffic HTTP

This is a strange request, but I have a customer that wants to encrypt traffic between the F5 LTM and their server(s) only, and from the client side keep it HTTP. I realize this is probably not best practice, as well as inefficient, but is this even possible?

 

Scenario requested: 1. Client accesses virtual server on http. 2. LTM encrypts and forwards request to server(s) via SSL (self signed). 3. Server responds back to LTM with request via SSL. 4. LTM decrypts request and forwards back to client HTTP.

 

APM
application delivery
design
LTM
security

6 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 20, 2015

    No problem. Just put a server SSL profile on the VS and away you go. No client SSL profile means the client talks HTTP. Server SSL profile means the comms between server&bigip are encrypted

     

    H

     

  • cdeeds_144014's avatar
    cdeeds_144014
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2015

    Ah, that makes sense. The server(s) would also need any http <-> https redirection disabled as well correct? Just trying to think of things that would ensure the client does not get an https response; their session would stay http the entire time but the server side to LTM would be https.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 22, 2015

    Yeah. You need to make sure any redirects and/or fully qualified URL's in the responses are re-written. If the app is well written you'll only have to deal with redirects and BASE tags... YMMV..

     

    :)

     

    H

     

  • cdeeds_144014's avatar
    cdeeds_144014
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2015

    Fair enough I suppose. Thank you for your quick responses and information about this topic, it's been very helpful!

     

  • Vishu_Rao_12264's avatar
    Vishu_Rao_12264
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2015

    Hi cdeeds,

     

    I have this requirement now and been trying and not able to fix it. Do you have any idea How you did it? my node/app always assumes/reponses/redirects in HTTPS , but VIP to client side should be in http only.

     

    I would appreciate If you give me some direction.

     

    --Vishu

     

  • Amanpreet_Singh's avatar
    Amanpreet_Singh
    Icon for Cirrostratus rankCirrostratus
    Oct 06, 2015

    Vishu,

     

    If you can use iRule to again write https response from server to http before it reached to client.

     

    Rgrd, Aman