THE INFORMATION IN THIS ARTICLE APPLIES TO:
QUESTION
How can I use SSL/TLS termination at F5 Load Balancer?
ANSWER
For the Load Balancer to be used as a termination point for SSL, the following needs to be implemented. This procedure allows the Load Balancer to be in charge of the encryption for an SSL connection instead of EFT. This allows for the customer to have multiple SSL applications use a central repository for certificates. EFT will just make an HTTP connection to the DMZ and the DMZ will make an HTTP connection to the Load Balancer. The Load Balancer will then make an HTTPS connection to the remote connecting party.
Overview of problem:
- Client makes request to F5 as "HTTPS://<address>"
- F5 acts as a reverse proxy and converts the HTTPS request to HTTP.
- F5 sends this request to the DMZ Gateway as HTTP.
- This request is shuttled through DMZ to EFT as HTTP.
- Since a partial address was used, EFT responds with "302 Moved temporarily" and sends the full address of http://<ip address>/EFTClient/Account/Login.htm. It sends http because the connection to the Proxy>EFT was over HTTP, so it assumes http is the correct protocol to send in the response for the redirect.
- Connection is sent back to F5 over HTTP.
- F5 receives server response and attempts to reroute back to source/client.
- Client receives the address http://<ip address>/EFTClient/Account/Login.htm and tries to connect to it. This is invalid. The F5 does not accept HTTP requests.
What needs to happen:
- F5 receives server response and proxies the connection back to the X-Original-Protocol: HTTPS.
- Client receives the address https://<ip address>/EFTClient/Account/Login.htm and successfully connects.
Resolution:
- Create a certificate to use on F5 for SSL offloading, if not already done.
- Ensure that the HTTPS virtual server SSL Profile (Client) property is configured to use the certificate.
- Change the default pool for the HTTPS virtual server to point to the HTTP pool.
- Create an iRule (as shown below) to add the appropriate header and add it to the HTTPS virtual server.
Here is the iRule:
when HTTP_REQUEST {
HTTP::header insert "X-ORIGINAL-PROTOCOL" "https";
}