Forum Discussion
Kevin_Stewart
Sep 06, 2012Employee
ProxySSL is a mechanism that allows the BIG-IP to "man-in-the-middle" the SSL key negotiation between the client and server. As such that negotiation has to be able to happen without any interference. I haven't verified this, but i'm also assuming you can't "stack" ProxySSL profiles in a VIP-targeting scenario. ie:
client -> external VIP with ProxySSL -> internal VIP with ProxySSL -> server
If you have to do ProxySSL because of an end-to-end SSL requirement, you'll only be able to do it on one of the VIPs (external or internal), and in no case, unless you terminate the SSL, will you be able to make a switching decision based on HTTP data like the host name. Also when I say "end-to-end" I'm specifically talking about SSL negotiations directly between the client and server, as if the BIG-IP wasn't there. That's mainly used in environments where the server needs the client's certificate in the SSL stream for authentication. If you just need SSL all the way to the server, then just decrypt at the BIG-IP and re-encrypt to the server. Then you have access to all of the HTTP data, you can forego the ProxySSL complexity, and actually have a better chance of persisting the connections with something other than source IP.