Forum Discussion
Adrien_Legros_1
Altostratus
AltostratusChoosing WAF and SSL offload via Irules
Hello, here is what we are trying to perform:
We want that the internal request go to the ASM. So the BigIP VIP has an sslprofile, perform the ssl offload, goes in the Irule and is analysed by the ASM. This part of the Irule is working fine.
The other case doesn't work (1 case in the Irule). For the external requests, we want to go to a pool without analysing the traffic with the ASM and without performing the ssl offload. I think we also need to remove the http profile becaus we are on a https VIP. but requests doesn't succeed...
here is what Id'like to know:
- How can I disable the ASm in version 10.0
- How can I disable the http profile and the ssl offload ? The commands below do not work.
Thanks.
when CLIENT_ACCEPTED {
log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"
}
when HTTP_REQUEST {
set debug 1
if {not [matchclass [IP::client_addr] starts_with $::Testgroup]} {
log local0. "Client [IP::client_addr] DIRECT to old WAF without ASM and SLL offload"
SSL::disable
HTTP::disable
pool igw_site_ssl
event disable all
} else {
internall request that should go through the ASM [HTTP::uri] via ASM
log local0. "requete interne [HTTP::uri] via ASM"
if {[HTTP::uri] starts_with "/app3"}{
if {$debug}{log local0. "Request to [HTTP::uri]"}
pool igw_pool_app3
}
elseif {[HTTP::uri] starts_with "/APP1"}{
if {$debug}{log local0. "Request to [HTTP::uri]"}
pool igw_pool_app1
}
elseif {[HTTP::uri] starts_with "/APP2"}{
if {$debug}{log local0. "Request to [HTTP::uri]"}
pool igw_pool_app2
}
}
}
Adrien_Legros_1One thing a forgot to say: When I remove the httpclass from the VIP, everything works well. But in the first case, the ASM should be disabled, so I don't understant why the HTTPCLASS prevent the website to display
hoolioCirrostratus
Hi Adrien,
In 10.0.1 (not 10.0.0) you can enable/disable ASM on a connection using ASM::enable / disable. See SOL10128 for details (Click here).
You'll need to use SSL::disable and HTTP::disable in the CLIENT_ACCEPTED event once you've determined that the client IP address should not go to ASM. Once you do that, I don't think you actually need to disable ASM as the request won't be decrypted or parsed as HTTP.
I haven't tried this yet on 10.0.1 though, so can you try this and reply with the result?
Thanks,
Aaron- Adrien_Legros_1Thanks for your answer, so if I understand:
In the Client accepted event, I should perform the test to know if the client is internal or not. If not, I should only disable http and ssl. The ASM will not intercept the trafic because of the http profile disabled?
You speak about version 10.0.1 so there is no way to disable ASM via Irule in version 10.0 ?
I'll try this and post the result.
Thanks. - hoolioMy reading of SOL10128 is that there isn't a way to disable ASM for a connection using PLUGIN::asm disable or ASM::disable in 10.0.0. It would be a good idea to upgrade to 10.0.1 regardless. I suppose you could push F5 to provide a hotfix for this issue in 10.0.0, but upgrading would probably be faster for you.
Aaron - Adrien_Legros_1Unfortunately, even after some Irule changes, it still doesn't work. Here is what I've done:
When I arrive with an external IP, I entered in the IF (event client accepted) but the request doesn't go to the default pool. The same when I place the command pool pool_external in the event.
Someone has Another idea?
Thanks a lot.
when CLIENT_ACCEPTED {
log local0. "--- New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] ---"
if {not [matchclass [IP::client_addr] starts_with $::internal]} {
log local0. "Client externe qui a l IP [IP::client_addr] DIRECT vers Teros"
HTTP::disable
SSL::disable
}
}
when HTTP_REQUEST {
if {not [matchclass [IP::client_addr] starts_with $::nbbonly]} {
log local0. "HTTPrequest Client externe qui a l IP [IP::client_addr] DIRECT vers Teros"
pool pool_pub_viaTeros
event disable all
} else {
requete client interne [HTTP::uri] via ASM
log local0. "requete interne [HTTP::uri] via ASM"
HTTP::header insert nbbclientip [IP::client_addr]
...... - hoolioIn a quick test on 10.0.1, the connection hung until adding ASM::disable to CLIENT_ACCEPTED. I'm guessing you'll need to upgrade to get this to work.
Aaron