1

I'm trying to understand why a particular load balancer --> web server configuration works so please allow me to paint the picture.

I have an F5 load balancer (LB) which passes traffic to a web server (WSvr). The WSvr is running IIS 8.

LB has its own SSL certificate, i.e. https://www.example.com. The WSvr has a separate SSL certificate, i.e. https://myWebServer.example.com.

I expected this LB --> WSvr configuration to fail but it actually worked and I really don't understand why. Not only did it work but I was able to authenticate into the web application that's hosted on the WSvr, which means the session stayed active throughout.

I thought that if you choose to go with a certificate on the LB and the WSvr, the same certificate must be installed on both machines. That is, the LB IP address and the WSvr IP address must map to the same DNS name, i.e. www.example.com. Not two completely separate certificates. (In my case, the LB maps to www.example.com. And the WSvr maps to myWebServer.example.com.) How is it that the LB can talk to the WSvr and keep the session active?

This is how I picture a typical request with the above scenario (which is obviously not correct based on what's actually happening, but it illustrates why I thought it would fail):

  1. Get https://www.example.com/login.html

  2. LB encrypts www.example.com/login.html via LB's SSL cert and passes it to the WSvr

  3. SSL is stripped from the request, killing the session. WSvr re-encrypts it with its own SSL cert, creating a new session.

I would appreciate if someone can enlighten and steer me on the right path and explain why I'm incorrect and why the above configuration works.

Thank you very much for your time.

Improve this question

1 Answer 1

Reset to default
1

The key here is that there are two separate connections (sessions) and hence two separate SSL handshakes, one between the client and the LB and the other between the LB and the backend. The first handshake verifies that the client wants to connect to https://www.example.com and the second verifies that the LB wants to connect to https://myWebServer.example.com. There is no "stripping off" of SSL. Each request sent by the client passes through both the connections, so in fact, it is encrypted twice.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Fascinating. TY. 1) So then why would authentication into a web app not fail, if there are two separate sessions going on here? Or is it that the session is binded to HTTPS and therefore SSL/TLS plays no part other than encrypting the contents? 2) Is there any difference if I were to use one wildcard SSL cert and apply it to the LB and WSvr? Would there still be two connections and the contents would be encrypted twice? Or, would it be seen as one connection? Thanks again.
(1) Depends on how authentication is being done. Is client cert authentication turned on for the webapp? (2) The only way you can avoid two connections if you use something like "SSL Passthrough" with an L4 VIP. That will avoid double encryption.
TY. (1) I don't see any client cert auth turned on. I'll have to investigate further on this. (2) To be honest, I'm not sure if this F5 LB is L4 or L7. It's likely L7 (HTTP). So I guess it doesn't matter what kind of SSL cert is installed, if there are two unique certs or if the LB and WSvr share the same SSL cert. Wildcard cert. SAN cert. Doesn't matter. It'd be double encryption for L7 VIP, correct? I sincerely appreciate your insight on this topic, Rahul. TY.
(1) If there is no client cert auth turned on for the webapp, then there is no validation happening at the webapp. The LB doesn't even need to present a cert as part of the handshake. (2) For an L7 VIP, there will be double encryption because of two SSL handshakes. An L4 VIP will not terminate SSL and simply "passthrough" everything above L4 as payload.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.