Applies To:

Show Versions Show Versions

Manual Chapter: Accelerating HTTPS Traffic with an Asymmetric WebAccelerator module
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Accelerating HTTPS traffic with an asymmetric WebAccelerator module

Operating asymmetrically, the BIG-IP® WebAccelerator™ module caches objects from origin web servers and delivers them directly to clients. The WebAccelerator module handles both static content and dynamic content, by processing HTTPS responses, including objects referenced in the response, and then sending the included objects as a single object to the browser. This form of caching reduces server TCP and application processing, improves web page loading time, and reduces the need to regularly expand the number of web servers required to service an application.

Task summary for accelerating HTTPS traffic with an asymmetric WebAccelerator module

Perform these tasks to accelerate HTTPS traffic with an asymmetric BIG-IP® WebAccelerator™ module.

Defining an NTP server

Network Time Protocol (NTP) synchronizes the clocks on a network by means of a defined NTP server.
  1. On the Main tab, click System > Configuration > Device > NTP. The NTP Device configuration screen opens.
  2. In the Time Server Lookup List area, in the Address field, type the IP address of the NTP that you want to add. Then, click Add.
    Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP server provides the information about your NTP server, then this field is automatically populated.
  3. Click Update.
The NTP server is defined.

Creating an application profile for an asymmetric WebAccelerator system

An application profile provides the key information that the WebAccelerator™ system needs to appropriately handle requests to your site's web applications.
  1. On the Main tab, click WebAccelerator > Applications. The Applications List screen opens.
  2. Click Create.
  3. Name the application.
  4. In the Description field, type a description.
  5. From the Policy list, select a policy.
  6. In the Requested Host field, type each domain name (host name) that might appear in HTTP requests for your web application. The specified domain names are defined in the host map for the application profile.
  7. Click Save.
The application profile appears in the Application column on the Applications List screen.

Enabling the WebAccelerator module with the Web Acceleration profile

A BIG-IP® WebAccelerator™ module application must be available.
The Web Acceleration profile enables the WebAccelerator module by using Acceleration Manager applications that run on a virtual server.
  1. On the Main tab, click Local Traffic > Profiles > Services > Web Acceleration. The Web Acceleration profile list screen opens.
  2. Click the name of a profile.
  3. Select the Custom check box.
  4. For the WA Applications setting, select an application in the Available list and click Enable. The WebAccelerator module application is listed in the Enabled list.
  5. Click Update.
The WebAccelerator module is enabled through the WebAccelerator module application in the Web Acceleration profile.

Requesting a certificate from a certificate authority

You can generate a certificate and copy it or submit it to a trusted certificate authority for signature.
  1. On the Main tab, click System > File Management > SSL Certificate List. The SSL Certificate List screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the SSL certificate.
  4. In the Issuer list, select Certificate Authority.
  5. In the Common Name field, type a name.
  6. In the Division field, type your company name.
  7. In the Organization field, type your department name.
  8. In the Locality field, type your city name.
  9. In the State or Province field, type your state or province name.
  10. From the Country list, select the name of your country.
  11. In the E-mail Address field, type your email address.
  12. In the Lifetime field, type a number of days, or retain the default, 365.
  13. In the Subject Alternative Name field, type a name. This name is embedded in the certificate for X509 extension purposes. By assigning this name, you can protect multiple host names with a single SSL certificate.
  14. In the Challenge Password field, type a password.
  15. In the Confirm Password field, re-type the password you typed in the Challenge Password field.
  16. For Key Properties, in the Size list, select a size in bits.
  17. Click Finished.
  18. Do one of the following to download the request into a file on your system.
    • In the Request Text field, copy the certificate.
    • For Request File, click the button.
  19. Follow the instructions on the web site for either pasting the copied request or attaching the generated request file.
  20. Click Finished.
The generated certificate is submitted to a trusted certificate authority for signature.

Importing an SSL certificate signed by a certificate authority

An SSL certificate signed by a certificate authority is available.
You can install an SSL certificate that is signed by a certificate authority by importing the certificate file.
  1. On the Main tab, click System > File Management > SSL Certificate List. The SSL Certificate List screen opens.
  2. Click Import.
  3. In the Import Type list, select Certificate.
  4. For the Certificate Name setting, do one of the following:
    • Select the Create New option, and type a unique name in the field.
    • Select the Overwrite Existing option, and select a certificate name in the list.
  5. For the Certificate Source setting, do one of the following:
    • Select the Upload File option, and browse to the location of the certificate file.
    • Select the Paste Text option, and paste the certificate text copied from another source.
  6. Click Import.
The SSL certificate that was signed by a certificate authority is installed.

Creating a pool to manage HTTPS traffic

You can create a pool (a logical set of devices, such as web servers, that you group together to receive and process HTTPS traffic) to efficiently distribute the load on your server resources.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Assign the https or https_443 health monitor from the Available list by moving it to the Active list.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Add each resource that you want to include in the pool using the New Members setting:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. Type 443 in the Service Port field, or select HTTPS from the list.
    3. (Optional) Type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The HTTPS load balancing pool now appears in the Pool List screen.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the HTTP Profile list, select http.
  7. From the HTTP Compression Profile list, select one of the following profiles:
    • httpcompression
    • wan-optimized-compression
    • A customized profile
  8. From the Web Acceleration Profile list, select one of the following profiles with an enabled WebAccelerator™ module application:
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  9. For the SSL Profile (Client) setting, from the Available list, select clientssl, and using the Move button, move the name to the Selected list.
  10. Optional: From the SSL Profile (Server) list, select serverssl.
    Note: This setting ensures that there is an SSL connection between the HTTP virtual server and the external HTTPS server.
  11. Click Finished.
The HTTPS virtual server appears in the Virtual Server List screen.

Verifying an application profile

Verifying an application profile requires a personal computer (PC) that can run a web browser.
You must verify that the WebAccelerator™ system is able to properly send data to and receive data from the origin web servers.
  1. On a PC, open the hosts file to edit.
  2. Add the host name that you used to access the web site application. The host name must point to the IP address for the virtual server that you configured.
    Note: On Microsoft® Windows® 2000 and Windows® XP machines, the hosts file is located at: C:\WINDOWS\system32\drivers\etc\hosts.
    For example, if you can access the web site at the www.siterequest.com domain, and the virtual server is at IP address 11.1.11.3, add the following line to the hosts file on the machine running the browser: 11.1.11.3 www.siterequest.com All network traffic from the web browser machine for the web site application subsequently goes to the virtual server.
  3. Request a page from the web site application. For example, if you configured www.siterequest.com, request a page from www.siterequest.com.
    • If the browser times out the request, then the WebAccelerator system is not running, or the firewall is blocking access to port 80 on the WebAccelerator system.
    • If you receive an Access denied by intermediary error:
      • Verify that the hosts file is correct.
      • Verify that the host map for the application profile is correct.
      • Verify that you used a domain in the request that matches a requested host in the host map, and that it maps to the destination host.
    The page appears directly from the origin web servers.
  4. Remove any entries that you changed or added, once you verify the application profile and the host mapping.
The WebAccelerator system is verified to properly send data to and receive data from the origin web servers.

Implementation result

The BIG-IP® WebAccelerator™ module is configured asymmetrically to accelerate HTTPS traffic.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)