For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Farkas_29's avatar
David_Farkas_29
Icon for Nimbostratus rankNimbostratus
Feb 01, 2005

Cache persistence on domain name

Under 4.x I've used a very simple cache rule to send requests to a set of caches. However, back in 4.2 PTF6, a 'special' feature was added to allow persistence to a cache based on the level of the ho...
application delivery
dev
devops
iRules
unRuleY_95363's avatar
unRuleY_95363
Historic F5 Account
Mar 08, 2005
I would then also assume your clients are configured to use the vip as a proxy?

 

 

If so, you have to understand that https connections are proxied in a very different manner than http. The client first sends a CONNECT method to the proxy which causes it to establish a connection to the host. Upon making that connection, the proxy replies with a 200 OK and then passes all subsequent data directly between the client and target host allowing the encryption to succeed.

 

 

In order to handle this in the bigip, we have had to add a HTTP::disable command that turns off http processing after the 200 OK response has occurred. This command will be available in 9.0.5.

 

 

Once you have this command, then you will need to modify your rule to look for the CONNECT method and issue the HTTP::disable command to allow the encrypted connection to flow freely between the client and destination host.

 

 

You can read the following post for more background information on proxying an https connection, however you likely won't be able to use the rule in that post because it doesn't work with the http profile:

 

http://devcentral.f5.com/default.aspx?tabid=28&forumid=5&postid=1274&view=topic

 

 

Hope this helps.