For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BaltoStar_12467's avatar
BaltoStar_12467
Oct 13, 2015

BIG-IP : disable SSL on request

F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi

Within an iRule, I know how to enable/disable SSL on a request to be routed :

pool pool-01
SSL::disable serverside
return

However, is it possible to accomplish same via a profile ?

application delivery
design
devops
iRules
LTM
ssl
ssl::profile

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 13, 2015

    Not in a profile, but definitely in an LTM policy. In the general properties of a policy, select whatever data point you need in the Requires section, and forwarding (for the pool) and server-ssl (to disable server side SSL) in the Controls section. Then build your rules accordingly.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 13, 2015

    As Kevin first suggested, Local traffic policies allow to replace most of irules. there is a bug in the 11.4 version, but is corrected in 11.5.

    You can start with the following workaround allowing to use Policies with a small irule doing which is impossible in policy. (iRule HTTP_REQUEST event occurs after Policy Request event)

    There is a workaround allowing to use Local traffic policies to disable SSL server side: create the rule action 

    tcl variable
    named ssldisable with value 1

    add the following irule and assign it to the VS:

    when HTTP_REQUEST {
    if {([info exists "ssldisable"]) && $ssldisable } {
        SSL::disable serverside
    }
}

    When you will upgrade to 11.5, you only have to replace the 

    set variable
    action by 
    server-ssl disable