SSL/TLS pass-through

0

Do you have a configuration guide for KEMP similar to this in HAPROXY?

https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/

SSL/TLS pass-through

In this mode, HAProxy does not decipher the traffic. It simply opens a TCP tunnel between the client and the server to let them negotiate and handle the TLS traffic.

The diagram below illustrates this layout:

Here, HAProxy simply runs in mode tcp. The sample fetch methods that apply to this mode are those whose names starts with req.ssl_.

5 comments

Avatar
0
Tony Vaughan

Hello,

if you create a HTTPS service,
by default the LoadMaster will pass traffic to the real server and will not decrypt the traffic, the client and real server will negotiate the SSL handshake same as the diagram you provided



only if you enable SSL Acceleration will the LoadMaster decrypt the traffic and will negotiate the SSL handshake with the client,

please see this link for more details on SSL acceleration
https://support.kemptechnologies.com/hc/en-us/articles/203125829-SSL-Accelerated-Services

Avatar
0
Halodata Administrator

Hi Tony,

I can't get the same configuration for KEMP as I could on HAProxy

Client (SNI Request server1.example.com:443 resolve to Reverse Proxy IP) -> Reverse Proxy -> Backend Server (server1.example.com:443)

Client (SNI Request server2.example.com:443 resolve to Reverse Proxy IP) -> Reverse Proxy -> Backend Server (server2.example.com:443)

The above is done at layer 4 but I can't configure that on KEMP it keeps stopping the request at the Reverse Proxy Side, request are not fowarded to the Backend Server. Also we are forwarding on the same HTTPS Port for every backend server.

 

Avatar
0
Tony Vaughan

Hello,

if you enabled the option force L4 under virtual service standard options
this will force the virtual service to use Layer 4,
this should be the same configuration as you had on HAPROXY

please note that if you use L4 on a VS it is automatically transparent,
the routing will behave differently so there is some changes required to your environment

please see these links for more details on transparency and Direct Server Return

https://support.kemptechnologies.com/hc/en-us/articles/203126369-Transparency

https://support.kemptechnologies.com/hc/en-us/articles/202040805-Direct-Server-Return-DSR-


if you are still having issues with this I would recommend contact our support team to get a better look at the scenario

Avatar
0
Halodata Administrator

I have tried L4 the problem is that it is not a direct substitute for HAPROXY's TLS/SSL Passthrough with SNI.

The L4 feature does not detect the Server Name Indication (SNI) and redirect the request to the backend server automatically.

This is very important when a lot of sites are hosted in the backend and we do not want to brick TLS End to End encryption while hosting every single backend server on the same port 443.

Avatar
0
Mark Hoffmann -- Technical Product Manager, LoadMaster Product Owner

Hi and thanks for posting,

Support referred this over to me, as this is a request for a new feature on LoadMaster. I understand that other ADCs do offer this feature (SSL Passthrough using SNI to direct to a specific server); HAProxy, as you point out, F5, and probably others. I've added your vote to the existing feature request for this, which is on our feature request forum:

https://support.kemptechnologies.com/hc/en-us/community/posts/212831483-Ability-to-use-SNI-in-SubVS-as-well-as-SNI-Hostname-Pass-through?page=1#community_comment_229315143

You can check the above thread for notification when this feature is taken into a release for development.

Best regards,

Mark