Forum Discussion
SSL Configuration Using IIS 6
This occurred at 4:02am for me but also during the day at 11:46am which caused an interruption in the availability of the REST API in v11.4.
- Robert_Teller_7Oct 06, 2015Historic F5 Account
You can try enabling the HTTP Profile and then using an iRule to disable HTTP for any request that isn't RFC compliant.
I have attached a snippet that will verify that the first portion of the request contains a string followed by a forward slash.
For an HTTP Request
when CLIENT_ACCEPTED { HTTP::disable TCP::collect 20 } when CLIENT_DATA { scan [TCP::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } TCP::release }
For an HTTPS Request
when CLIENT_ACCEPTED { HTTP::disable } when CLIENTSSL_CLIENTHELLO { SSL::collect 20} when CLIENTSSL_DATA { scan [SSL::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } SSL::release }
- Brad_ParkerOct 20, 2015
Cirrus
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_ParkerOct 23, 2015
Cirrus
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.
- Brad_Parker_139Oct 20, 2015
Nacreous
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_Parker_139Oct 23, 2015
Nacreous
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com