For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Patrick_McGlyn1's avatar
Patrick_McGlyn1
Icon for Nimbostratus rankNimbostratus
Mar 30, 2007

Changing between SSL Termination and non-SSL Termination

We have an issue where for one application we want to terminate SSL on the F5 and use cookies persistence only for one client based on the client source IP.

 

 

I put together the following irule but it is not working:

 

 

We are getting page cannot be displayed.

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals $::client_IP] } {

 

pool test-http

 

SSL::profile test-cert

 

persist cookie

 

} else {

 

pool test-https

 

SSL::profile none

 

persist source_addr 1800

 

}

 

}
application delivery
dev
devops
iRules

2 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Apr 03, 2007
    If you're going to try to read the packet data, you're going to have to terminate SSL for all connections coming into that VIP. Once you've done so, you'll be able to read the IP address of the client and act accordingly.

     

     

    Is this how you have things set up? If not, you'll need to make sure you're decrypting all incoming traffic, not trying to do so selectively.

     

     

    Colin
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 04, 2007
    I would think that you could make layer 4 decisions (client and/or server IP and/or port) without decrypting the SSL.

     

     

    Couldn't you configure a client SSL profile on the VIP, but then disable SSL for all requests but the ones that need decrypting for cookie persistence?

     

     

    There should be some examples in this forum using SSL::disable (rather than SSL::profile).

     

     

    Aaron