Forum Discussion
2funky_105078
Cirrus
Cirrus1 VIP / any ports used for both HTTP and HTTPS, possible?
Hello,
We would like to use the same VIPs and DNS names for both encrypted/non encrypted traffic, with this idea:
•If F5 LTM receives HTTP traffic (on any port), it should not encrypt.
•If ...
R_Marc
Nimbostratus
NimbostratusThe only way I can think to do that would be rather kludgy.
Have a TCP passthru virtual that selected the appropriate virtual based on something in the data stream, so you'd have to do a TCP capture. Here's one way to do it (ripped of the binary scan from another dev central post: https://devcentral.f5.com/questions/binary-scan
Virtuals (the content switch, and two bogus IP'd ones...don't have to be bogus, but don't need to be exposed at all):
ltm virtual multiproto-test-passthru-any {
destination 10.0.0.181:any
ip-protocol tcp
mask 255.255.255.255
profiles {
tcp { }
}
rules {
multi-protocol-rule
}
source 0.0.0.0/0
translate-port disabled
vs-index 17
}
ltm virtual multiproto-test-any {
destination 1.1.1.2:any
ip-protocol tcp
mask 255.255.255.255
pool multiproto-test-any
profiles {
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-port disabled
vs-index 15
}
ltm virtual multiproto-test-ssl-any {
destination 1.1.1.1:any
ip-protocol tcp
mask 255.255.255.255
pool multiproto-test-any
profiles {
clientssl {
context clientside
}
serverssl-insecure-compatible {
context serverside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-port disabled
vs-index 14
}
The iRule:
ltm rule multi-protocol-rule {
when CLIENT_ACCEPTED {
TCP::collect 15
}
when CLIENT_DATA {
binary scan [TCP::payload 15] H12 data
if { ( $data starts_with "1603") } {
log local0. "$data"
virtual multiproto-test-ssl-any
} else {
log local0. "[TCP::payload]"
virtual multiproto-test-any
}
TCP::release
}
}
This worked for me. Not sure why you'd wanna do that, but if you do ....
