Forum Discussion
Cirrus1 VIP / any ports used for both HTTP and HTTPS, possible?
Hello,
We would like to use the same VIPs and DNS names for both encrypted/non encrypted traffic, with this idea:
•If F5 LTM receives HTTP traffic (on any port), it should not encrypt. •If F5 LTM receives SSL traffic (on any port), it should encrypt.
if encrypted on port x, then send encyrpted on port x if non encrypted on port x, then send non encyrpted on port x.
The pool is the same for both cases
There is an option to allow non-SSL traffic on client ssl profile but this option is bot there for server ssl profile, so maybe there exist an iRule for this?
Thanks for your help!
3 Replies
R_MarcNimbostratus
The only way I can think to do that would be rather kludgy.
Have a TCP passthru virtual that selected the appropriate virtual based on something in the data stream, so you'd have to do a TCP capture. Here's one way to do it (ripped of the binary scan from another dev central post: https://devcentral.f5.com/questions/binary-scan
Virtuals (the content switch, and two bogus IP'd ones...don't have to be bogus, but don't need to be exposed at all):
ltm virtual multiproto-test-passthru-any { destination 10.0.0.181:any ip-protocol tcp mask 255.255.255.255 profiles { tcp { } } rules { multi-protocol-rule } source 0.0.0.0/0 translate-port disabled vs-index 17 } ltm virtual multiproto-test-any { destination 1.1.1.2:any ip-protocol tcp mask 255.255.255.255 pool multiproto-test-any profiles { tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-port disabled vs-index 15 } ltm virtual multiproto-test-ssl-any { destination 1.1.1.1:any ip-protocol tcp mask 255.255.255.255 pool multiproto-test-any profiles { clientssl { context clientside } serverssl-insecure-compatible { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-port disabled vs-index 14 }The iRule:
ltm rule multi-protocol-rule { when CLIENT_ACCEPTED { TCP::collect 15 } when CLIENT_DATA { binary scan [TCP::payload 15] H12 data if { ( $data starts_with "1603") } { log local0. "$data" virtual multiproto-test-ssl-any } else { log local0. "[TCP::payload]" virtual multiproto-test-any } TCP::release } }This worked for me. Not sure why you'd wanna do that, but if you do ....
- nitass
Employee
There is an option to allow non-SSL traffic on client ssl profile but this option is bot there for server ssl profile, so maybe there exist an iRule for this?
what about this?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:0 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } serverssl { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } translate-port disabled vs-index 14 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:0 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { allow-non-ssl enabled app-service none cert-key-chain { default { cert default.crt key default.key } } defaults-from clientssl inherit-certkeychain true } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENTSSL_HANDSHAKE { set is_ssl 1 } when HTTP_REQUEST { if { not([info exists is_ssl]) } { SSL::disable serverside } } } test [root@centos1 ~] curl -I http://172.28.24.10/ HTTP/1.1 200 OK Date: Mon, 17 Nov 2014 03:59:07 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 [root@centos1 ~] curl -Ik https://172.28.24.10/ HTTP/1.1 200 OK Date: Mon, 17 Nov 2014 03:59:13 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 
2funky_105078thanks both of you, nitass solution is neater, i tested and it works, thanks a lot!
