Forum Discussion

BJ_114988's avatar
BJ_114988
Icon for Nimbostratus rankNimbostratus
Jun 16, 2016
Solved

why do we attached http profile to SSL vip?

why do we attached http profile to vip on port 443?

 

My understanding that it is required for LB to understand web traffic after LB decrypt it..

 

Let me know your views..

 

Also..if there is redirect configured as below on vips : -

 

vip port80 (redirect to 443vip)----443 vip

 

if we remove ssl cert from 443 vip do we need to remove http profile from 443 vip?

 

application delivery
BIG-IP
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Jun 16, 2016

    HTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.

     

10 Replies

Sort By
  • mo_99289's avatar
    mo_99289
    Historic F5 Account
    Jun 16, 2016
    you understand is correct, if you only want to use simple load balance without info from http payload, http profile is not necessary. regarding the redirect, do those vs process https traffic? if you remove ssl profile, http profile should be removed
  • BJ_114988's avatar
    BJ_114988
    Icon for Nimbostratus rankNimbostratus
    Jun 16, 2016
    How to identify if traffic has http payload? is there any simple way other than wireshark capture. regarding the redirect - yes they process https traffic..if we dont remove it , what will be impact and why it needs to be removed....lot of confusion here....
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jun 16, 2016

    HTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.

     

    • BJ_114988's avatar
      BJ_114988
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Thank you so much for answer..Finally understood why to use http profile..:) We are enabling cookie persistence on http vip with http profile... now it should work!! and just in case if user want to enable cookie persistence on ssl terminated VIP that is on vip with port 443.....do we still need to enable http profile on vip or will work with default tcp profile?
    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jun 16, 2016
      You would need HTTP profile for HTTP Cookie Persistence.
    • BJ_114988's avatar
      BJ_114988
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Thanks all for your answers!! really helped!! cherrs!
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jun 16, 2016

    HTTP profile is essentially a buffer+parser which checks whether the request format complies with the standard. When used, it opens up new possibilities for request/response adaption and payload modifications. It has some unintended benefits from the security standpoint too, for instance, it protects your web-servers from Slowloris attacks. So I would use it even when it's not a pre-requisite for your iRules or LTM policies.

     

    • BJ_114988's avatar
      BJ_114988
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Thank you so much for answer..Finally understood why to use http profile..:) We are enabling cookie persistence on http vip with http profile... now it should work!! and just in case if user want to enable cookie persistence on ssl terminated VIP that is on vip with port 443.....do we still need to enable http profile on vip or will work with default tcp profile?
    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jun 16, 2016
      You would need HTTP profile for HTTP Cookie Persistence.
    • BJ_114988's avatar
      BJ_114988
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Thanks all for your answers!! really helped!! cherrs!