Forum Discussion
Dayton_Gray_103
Nimbostratus
NimbostratusCan one set an SSL Server Profile based on the pool member used?
I have a fairly convoluted scenario.
I am sending HTTP traffic to local web servers (using NAT) as well as to an internet facing address at another datacenter (using a SNAT pool). All addresses are ratio load balanced in the same pool and I am using a universal persistence profile to look for a cookie so that the connections will persist (as I need connections to the other datacenter to continue being sent there).
The above seems to work very well for the HTTP virtual server. I am however wondering how I can get this to work with the HTTPS virtual server. I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently.
Does anyone know if this is a possibility given the above scenario? Here is the iRule that is being used with the universal persistence:
when HTTP_REQUEST {
Check if there is a MYCOOKIE cookie
if {[HTTP::cookie "MYCOOKIE"] ne ""}{
Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
persist uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
}
}
when HTTP_RESPONSE {
Check if there is a MYCOOKIE cookie in the response
if {[HTTP::cookie "MYCOOKIE"] ne ""} {
Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
persist add uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
}
}Thanks!!
4 Replies
- nitass
Employee
is this applicable?[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.65.152:https ip protocol tcp rules myrule profiles { clientssl { clientside } http {} serverssl { serverside } tcp {} } } [root@ve1023:Active] config b pool foo list pool foo { members { 200.200.200.101:http {} 200.200.200.102:https {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when LB_SELECTED { if {[LB::server port] equals "80"}{ SSL::disable serverside } } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve1023:Active] config curl -Ik https://172.28.65.152 HTTP/1.1 200 OK Date: Wed, 16 Nov 2011 06:46:27 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Tue, 08 Nov 2011 12:26:29 GMT ETag: "4183f1-30-47e02740" Accept-Ranges: bytes Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 [root@ve1023:Active] config Nov 15 22:46:36 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50401 -> 200.200.200.102:443 [root@ve1023:Active] config curl -Ik https://172.28.65.152 HTTP/1.1 200 OK Date: Wed, 16 Nov 2011 06:46:53 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 [root@ve1023:Active] config Nov 15 22:46:39 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50402 -> 200.200.200.101:80 
Dayton_Gray_103It is a bit different than that. I am hoping to be able to set a server ssl profile for the virtual server when traffic is destined to one of the pool members. This will reencrypt the traffic back out to that member. The virtual server is set to only using a client ssl profile (desired behavior for the other pool members).
The solution I'm looking for is really to split a portion of traffic to another datacenter seemlessly. Sort of like a poor mans datacenter load balancer but without using DNS.
Michael_YatesHi Dayton,
You stated " I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently."
I have done something similar, but what I was working on was encrypting traffic to a specific pool of servers on an HTTP Virtual Server, which is very similar to what you are doing because your configuration is SSL Offload.
First, you will need to assign the SSL Profile (Server) to something (either the default "serverssl" or the one that you want to use specifically for this traffic, either way, set it to something). It does not matter because you will be disabling the SSL Profile first thing anyway (so that the rest of the Virtual Server still acts as if it is SSL Offloaded).
Write the rest of your iRule routing to this special set of servers as normal (because later in your iRule (the SERVER_CONNETED Event) you will list the conditions to Enable the SSL Profile, and at the same time you can choose the SSL Profile in the same event.
Try integrating the following:when CLIENT_ACCEPTED { I want the Virtual Server to be SSL Offload unless it needs to be encrypted to the Server. SSL::disable serverside } when SERVER_CONNECTED { if { ([string tolower [LB::server pool]] eq The.Special.SSL.Pool ) } { SSL::enable serverside } else { Insurance to make sure that if it is enabled anywhere else that it is disabled. SSL::disable serverside } }
In the above code I triggered it on the Pool Name, but you can easily change this to [LB::server addr] and list the Server IP Address to trigger the SSL Profile Enable.
Hope this helps.- Are you wanting to use different serverssl profiles, or just sometimes reencrypt and sometimes not. If the former, use SSL::profile in SERVER_CONNECTED. If the latter, attach the profile to the vip and then use SSL::disable in SERVER_CONNECTED if you don't need to reencrypt.
