IdP3.3.0/Big IP F5

Mailvaganam, Hari hari.mailvaganam at ubc.ca
Thu Jul 6 21:41:02 EDT 2017 

Hi:

Wondering if anyone has set up a clustered IdPv3 behind BIG IP's F5?

We have one over here – that is experiencing the occasional ERR_CONNECTION_RESET – we are peeling of the layers F5 config, Apache setting, network etc to zero in on the potential cause.

If anyone has this set up on F5 – wondering if can compare our F5 config, Apache settings etc.

Our set up:


  *   Apache proxy traffic via AJP to Tomcat
  *   SSL to Big IP/F% -- and SSL again to the server endpoints (both Gandi)
  *   HSTS commented out on Apache; SELinux disabled (for troubleshooting)

Apache:

Listen 443 https

<VirtualHost _default_:443>

  ServerName snip

  LogFormat "%v %{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b %{Referer}i %{User-Agent}i" X-Forwarded-For
  CustomLog /var/log/httpd/idp1.log X-Forwarded-For
  ErrorLog /var/log/httpd/ssl-error.log

  SSLEngine On
  SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS
  SSLProtocol all -SSLv2 -SSLv3
  SSLCertificateKeyFile /etc/httpd/ssl_certs/snip.key
  SSLCertificateFile /etc/httpd/ssl_certs/snip.crt
  SSLCertificateChainFile /etc/httpd/ssl_certs/GandiStandardSSLCA2.pem

  <IfModule headers_module>
         Header set X-Frame-Options DENY
         #Header set Strict-Transport-Security "max-age=31536000 ; includeSubDomains"
  </IfModule>


  ProxyRequests Off

  <Proxy ajp://localhost:8009>
         Allow from all
  </Proxy>

  ProxyPass /idp ajp://localhost:8009/idp retry=5

  #<Files ~ "\.(cgi|shtml|phtml|php3?)$">
  #        SSLOptions +StdEnvVars
  #</Files>

  <Directory "/var/www/cgi-bin">
          SSLOptions +StdEnvVars
  </Directory>

  SetEnvIf User-Agent ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0

  CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>



Thanks,

Hari
UBC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170707/d8d1bba6/attachment-0001.html>

More information about the users mailing list