end to end ssl

Question

do we need to install ssl cert on both LB and real server for features like x-forwarded-for and irules(modifying http behavior) to work for an https VIP? Please explain briefly.&nbsp;

hannes_rapp · Answer

Answer yes, installing a certificate on BigIP is mandatory for the features you mentioned.&nbsp;
Installing a certificate on web-server is only mandatory if you forward connections to SSL-enabled port. Other than that, F5 can also forward connections to plain-HTTP port. In such case, you do not need to install certificate on web-server.&nbsp;

chris_grant · Answer

For both x-forwarded-for and irules we have to gain access to the encrypted payload to read data and make changes. The only way to do that is to have the private key and ssl cert installed so we can encrypt and decrypt the data (acting as the server in this case). If you don't need to have the traffic encrypted between the BigIP and the pool member, you are done at this point. If you want that traffic encrypted to the back end, you will need to install the cert and key on the back end server also. After we are done manipulating the data, we will contact the back end server as a client, reencrypt the data as normal and send to the pool member.

Forum Discussion

end to end ssl

2 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

Ending an APM session when browser tab is closed

Community Highlights, Week 52 '22 + bonus year-end content

End of Year 2022 security challenges and new year wishes

https end to end