IdP3.3.0/Big IP F5

Mailvaganam, Hari hari.mailvaganam at
Thu Jul 6 21:41:02 EDT 2017


Wondering if anyone has set up a clustered IdPv3 behind BIG IP's F5?

We have one over here – that is experiencing the occasional ERR_CONNECTION_RESET – we are peeling of the layers F5 config, Apache setting, network etc to zero in on the potential cause.

If anyone has this set up on F5 – wondering if can compare our F5 config, Apache settings etc.

Our set up:

  *   Apache proxy traffic via AJP to Tomcat
  *   SSL to Big IP/F% -- and SSL again to the server endpoints (both Gandi)
  *   HSTS commented out on Apache; SELinux disabled (for troubleshooting)


Listen 443 https

<VirtualHost _default_:443>

  ServerName snip

  LogFormat "%v %{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b %{Referer}i %{User-Agent}i" X-Forwarded-For
  CustomLog /var/log/httpd/idp1.log X-Forwarded-For
  ErrorLog /var/log/httpd/ssl-error.log

  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLCertificateKeyFile /etc/httpd/ssl_certs/snip.key
  SSLCertificateFile /etc/httpd/ssl_certs/snip.crt
  SSLCertificateChainFile /etc/httpd/ssl_certs/GandiStandardSSLCA2.pem

  <IfModule headers_module>
         Header set X-Frame-Options DENY
         #Header set Strict-Transport-Security "max-age=31536000 ; includeSubDomains"

  ProxyRequests Off

  <Proxy ajp://localhost:8009>
         Allow from all

  ProxyPass /idp ajp://localhost:8009/idp retry=5

  #<Files ~ "\.(cgi|shtml|phtml|php3?)$">
  #        SSLOptions +StdEnvVars

  <Directory "/var/www/cgi-bin">
          SSLOptions +StdEnvVars

  SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list