Forum Discussion
Dayton_Gray_103
Nimbostratus
Nov 15, 2011Can one set an SSL Server Profile based on the pool member used?
I have a fairly convoluted scenario.
I am sending HTTP traffic to local web servers (using NAT) as well as to an internet facing address at another datacenter (using a SNAT pool). All addresses are ratio load balanced in the same pool and I am using a universal persistence profile to look for a cookie so that the connections will persist (as I need connections to the other datacenter to continue being sent there).
The above seems to work very well for the HTTP virtual server. I am however wondering how I can get this to work with the HTTPS virtual server. I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently.
Does anyone know if this is a possibility given the above scenario? Here is the iRule that is being used with the universal persistence:
when HTTP_REQUEST {
Check if there is a MYCOOKIE cookie
if {[HTTP::cookie "MYCOOKIE"] ne ""}{
Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
persist uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
}
}
when HTTP_RESPONSE {
Check if there is a MYCOOKIE cookie in the response
if {[HTTP::cookie "MYCOOKIE"] ne ""} {
Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
persist add uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
}
}
Thanks!!
- nitass
Employee
is this applicable?[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.65.152:https ip protocol tcp rules myrule profiles { clientssl { clientside } http {} serverssl { serverside } tcp {} } } [root@ve1023:Active] config b pool foo list pool foo { members { 200.200.200.101:http {} 200.200.200.102:https {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when LB_SELECTED { if {[LB::server port] equals "80"}{ SSL::disable serverside } } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::remote_addr]:[TCP::remote_port]" } } [root@ve1023:Active] config curl -Ik https://172.28.65.152 HTTP/1.1 200 OK Date: Wed, 16 Nov 2011 06:46:27 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Tue, 08 Nov 2011 12:26:29 GMT ETag: "4183f1-30-47e02740" Accept-Ranges: bytes Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 [root@ve1023:Active] config Nov 15 22:46:36 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50401 -> 200.200.200.102:443 [root@ve1023:Active] config curl -Ik https://172.28.65.152 HTTP/1.1 200 OK Date: Wed, 16 Nov 2011 06:46:53 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Connection: close Content-Type: text/html; charset=UTF-8 [root@ve1023:Active] config Nov 15 22:46:39 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50402 -> 200.200.200.101:80
- Dayton_Gray_103
Nimbostratus
It is a bit different than that. I am hoping to be able to set a server ssl profile for the virtual server when traffic is destined to one of the pool members. This will reencrypt the traffic back out to that member. The virtual server is set to only using a client ssl profile (desired behavior for the other pool members). - Michael_Yates
Nimbostratus
Hi Dayton,when CLIENT_ACCEPTED { I want the Virtual Server to be SSL Offload unless it needs to be encrypted to the Server. SSL::disable serverside } when SERVER_CONNECTED { if { ([string tolower [LB::server pool]] eq The.Special.SSL.Pool ) } { SSL::enable serverside } else { Insurance to make sure that if it is enabled anywhere else that it is disabled. SSL::disable serverside } }
- spark_86682Historic F5 AccountAre you wanting to use different serverssl profiles, or just sometimes reencrypt and sometimes not. If the former, use SSL::profile in SERVER_CONNECTED. If the latter, attach the profile to the vip and then use SSL::disable in SERVER_CONNECTED if you don't need to reencrypt.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects