Lets do some SSL offload on F5 LTM.
SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.
BIG-IP Local Traffic Manager with the SSL Acceleration Feature Module performs SSL offloading.
The BigIP F5 provide 2 ways in which SSL is processed. These are :
Client SSL – F5 decrypts the encrypted traffic inbound from the client.
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.
There are a number of advantages to SSL termination on the F5, which are :
- Allows iRules processing and cookie persistence.
- SSL Traffic offload from web servers
- SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
- Centralized certificate management
Configuring Client SSL comprises of 3 steps.
- Import or generate the SSL certificate and Key
- Configure the client ssl-client profile
- Configure the Virtual Server
1a. Certificate (Import)
- Goto ‘Local Traffic | SSL Certificates | Import’.
- Select Certificate as the Import Type.
- Configure the Certificate Name.
- Upload the certificate within the certificate source section.
- Click Import.
Note : Certificates should be in either Base-64 encoded or PEM format. It can also be in .crt format, especially when we are copying certificate from one F5 and installing on other F5.
Keys are also copied in the same way.
We only need to click on “Import Type” and select “Key “. And import key from local computer.
1b. Certificate (Generate) — This is for CSR generation purpose for CA or for self signed certificates.
- Go to ‘Local Traffic | SSL Certificates | Create’.
- Within the General Properties section enter the name and then complete the Certificate Property fields.
- Click finished.
Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:
2. Configure Profile
Next we will need to configure the client ssl-client profile.
- Goto ‘Local Traffic | Profiles | SSL | Client | Create’
- Within the General Properties enter the Name and select the Parent Profile as clientssl and check mark Custom.
- Within the Configuration section select the Certificate and Key.
- Click Finished.
3. Configure the Virtual Server
- Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.
- Also choose HTTP Profile as “http”.
- Select “None” for ” SSL Profile (Server) “
Don’t skip this: Just because you have SSL termination enabled on this virtual server, you still need to point it at the correct location. If you’re editing an existing virtual machine, it is probably currently pointing at a pool of servers on port 443. In the case of Apache, it will throw an error page, refusing to serve insecure HTTP pages over a secure port (443). To fix this (or set it up if this is a new virtual machine), click the “Resources” tab on the new virtual machine.
Under the “Load Balancing” section, select the same “Default Pool” option as you are using for your HTTP virtual machine. This makes it so that both HTTP and traffic that was formerly HTTPS come into the same port on your backend servers.
If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.