Forum Discussion

MarekHudak's avatar
MarekHudak
Icon for Nimbostratus rankNimbostratus
Oct 25, 2019

Without SSL profiles user is not able to access website

Hello guys,

 

would you be so kind and help me with problem related to SSL profiles?

 

It is strange, but without SSL profile user is not able to reach web site (virtual server) where is pool with one real server on which is loaded certificate.

But when I load the same certificate on F5 and add it to SSL profile (client), user is able to reach the VS and sees correct certification which was imported on F5.

 

I do not see any connection between SSL profiles and connection to servers. User is getting 404. Not found.

 

Thank you in advance. If you need some config, let me know.

application delivery
BIG-IP
LTM

5 Replies

Sort By
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Oct 29, 2019

    Did you remove any and all application layer profiles from the virtual server such as HTTP profiles?

    • You can apply an HTTP profile but no SSL profile on the F5 then send HTTPS traffic resulting in the F5 attempting to process the HTTP request but never finishing because it can never decrypt to actually view the HTTP data.

  • MarekHudak's avatar
    MarekHudak
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2019

    Hi,

    I am not sure if I understand what you are saying. Currently it is working, because certificate is on BIG-IP, but I would rather have certificate only on real server (member of the pool).

    Please see config which is showing current setting. What do you think should be changed?

    ltm virtual cmst.dieboldnixdorf.com-443 {
    destination 10.38.85.45:https
    ip-protocol tcp
    mask 255.255.255.255
    pool cmst.dieboldnixdorf.com-8443
    profiles {
        cmst.dieboldnixdorf.com {
            context clientside
        }
        diebold-http { }
        diebold-tcp { }
        serverssl {
            context serverside
        }
    }
    rules {
        Redirect_CMST
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 56
}

    Thank you

  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Oct 30, 2019
    1. ltm virtual cmst.dieboldnixdorf.com-443 {
    2. destination 10.38.85.45:https
    3. ip-protocol tcp
    4. mask 255.255.255.255
    5. pool cmst.dieboldnixdorf.com-8443
    6. profiles {
    7. cmst.dieboldnixdorf.com {
    8. context clientside
    9. }
    10. diebold-http { } <---- Remove this
    11. diebold-tcp { }
    12. serverssl {
    13. context serverside
    14. }
    15. }

     

    Your current configuration asks the F5 to manage an impossible situation of manipulating encrypted HTTP content (HTTPS/TLS) without being able to decrypt it.

     

    You cannot use a client-side HTTP profile without a client SSL profile.

  • MarekHudak's avatar
    MarekHudak
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2019

    Thank you for complex explanation. But after removal of http profile, certificate will be still handled on BIG-IP yes? I would like to not handle certificate on BIG-IP, so BIG_IP will just forward it to member of the pool which will provide certificate for end user.

     

    Thank you