Forum Discussion

Dayton_Gray_103's avatar
Dayton_Gray_103
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Can one set an SSL Server Profile based on the pool member used?

I have a fairly convoluted scenario.

I am sending HTTP traffic to local web servers (using NAT) as well as to an internet facing address at another datacenter (using a SNAT pool). All addresses are ratio load balanced in the same pool and I am using a universal persistence profile to look for a cookie so that the connections will persist (as I need connections to the other datacenter to continue being sent there).

The above seems to work very well for the HTTP virtual server. I am however wondering how I can get this to work with the HTTPS virtual server. I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently.

Does anyone know if this is a possibility given the above scenario? Here is the iRule that is being used with the universal persistence:


when HTTP_REQUEST {
    Check if there is a MYCOOKIE cookie
   if {[HTTP::cookie "MYCOOKIE"] ne ""}{
       Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
      persist uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
   }
}
when HTTP_RESPONSE {
    Check if there is a MYCOOKIE cookie in the response
   if {[HTTP::cookie "MYCOOKIE"] ne ""} {
       Persist off of the cookie value with a timeout of 4 hours (14400 seconds)
      persist add uie [string tolower [HTTP::cookie "MYCOOKIE"]] 14400
   }
}

Thanks!!

  • is this applicable?

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.65.152:https
       ip protocol tcp
       rules myrule
       profiles {
          clientssl {
             clientside
          }
          http {}
          serverssl {
             serverside
          }
          tcp {}
       }
    }
    [root@ve1023:Active] config  b pool foo list
    pool foo {
       members {
          200.200.200.101:http {}
          200.200.200.102:https {}
       }
    }
    [root@ve1023:Active] config  b rule myrule list
    rule myrule {
       when LB_SELECTED {
            if {[LB::server port] equals "80"}{
                    SSL::disable serverside
            }
    }
    when HTTP_RESPONSE {
            log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::remote_addr]:[TCP::remote_port]"
    }
    }
    
    [root@ve1023:Active] config  curl -Ik https://172.28.65.152
    HTTP/1.1 200 OK
    Date: Wed, 16 Nov 2011 06:46:27 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Tue, 08 Nov 2011 12:26:29 GMT
    ETag: "4183f1-30-47e02740"
    Accept-Ranges: bytes
    Content-Length: 48
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [root@ve1023:Active] config  
    Nov 15 22:46:36 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50401 -> 200.200.200.102:443
    
    [root@ve1023:Active] config  curl -Ik https://172.28.65.152
    HTTP/1.1 200 OK
    Date: Wed, 16 Nov 2011 06:46:53 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [root@ve1023:Active] config  
    Nov 15 22:46:39 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:50402 -> 200.200.200.101:80
    
    
  • It is a bit different than that. I am hoping to be able to set a server ssl profile for the virtual server when traffic is destined to one of the pool members. This will reencrypt the traffic back out to that member. The virtual server is set to only using a client ssl profile (desired behavior for the other pool members).

     

     

    The solution I'm looking for is really to split a portion of traffic to another datacenter seemlessly. Sort of like a poor mans datacenter load balancer but without using DNS.
  • Hi Dayton,

     

     

    You stated " I need to somehow set an SSL Server profile to re-encrypt if the pool member used is that of the other datacenter IP address. The HTTPS virtual server is only using a client SSL profile (unencrypt) currently."

     

     

    I have done something similar, but what I was working on was encrypting traffic to a specific pool of servers on an HTTP Virtual Server, which is very similar to what you are doing because your configuration is SSL Offload.

     

     

    First, you will need to assign the SSL Profile (Server) to something (either the default "serverssl" or the one that you want to use specifically for this traffic, either way, set it to something). It does not matter because you will be disabling the SSL Profile first thing anyway (so that the rest of the Virtual Server still acts as if it is SSL Offloaded).

     

     

    Write the rest of your iRule routing to this special set of servers as normal (because later in your iRule (the SERVER_CONNETED Event) you will list the conditions to Enable the SSL Profile, and at the same time you can choose the SSL Profile in the same event.

     

     

    Try integrating the following:

     

     

    
    when CLIENT_ACCEPTED {
            I want the Virtual Server to be SSL Offload unless it needs to be encrypted to the Server.
            SSL::disable serverside
    }
    when SERVER_CONNECTED {
            if { ([string tolower [LB::server pool]] eq The.Special.SSL.Pool ) } {
                    SSL::enable serverside
            }
            else {
                    Insurance to make sure that if it is enabled anywhere else that it is disabled.
                    SSL::disable serverside
            }
    }
    

     

     

    In the above code I triggered it on the Pool Name, but you can easily change this to [LB::server addr] and list the Server IP Address to trigger the SSL Profile Enable.

     

     

    Hope this helps.
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Are you wanting to use different serverssl profiles, or just sometimes reencrypt and sometimes not. If the former, use SSL::profile in SERVER_CONNECTED. If the latter, attach the profile to the vip and then use SSL::disable in SERVER_CONNECTED if you don't need to reencrypt.