Create F5 LTM Content for http / https via port 8080

You cannot specify a set of listening ports on a VIP - either a single port or all ports. Is it absolutely necessary to have all of this on a single VIP, given that the HTTP and HTTPS VIPs could share the same IP address and configuration other that their respective listening ports?

Also, while still technically possible, it would be extremely difficult to do SSL and non-SSL with the same listening port. For example, let's say you want to do SSL to a VIP that is listening on port 8080 and has a client SSL profile. You also want to do non-SSL to the same IP address on the same 8080 port, but of course without a client SSL profile. You'd necessarily have to create a single VIP on port 8080, apply a client SSL profile, and use an iRule to disable that client SSL profile for non-SSL requests. Because of where SSL sits in the OSI layer, however, one of the only ways you'd have to determine the client's intentions (SSL or non-SSL) would be a layer BELOW SSL, as in at the IP layer. Prior to offloading the SSL, you don't know what the client's intentions are. Now, you could technically sniff the TCP payload at layer 4 and see if the client is sending SSL data, but then you're getting into some fairly complicated iRules.

It would be FAR EASIER to split these up into separate VIPS with standard client side ports (80 and 443) and use some iRule logic to switch between the port 80 and port 8080 pools.

Thank you. I can either use * to allow all ports or create multiple contents and map each content to specific port. I believe what you mentioned is to create two Secured content using VIP 1.1.1.1 and bind one to 443 and other to 8080 (both with SSL offload). Next, to create a single content using a 2nd VIP of 1.1.1.2, allowing * all ports, and add iRule to direct traffic correctly for http://test.com and http://test.com:8080.. right?

The first and most important thing is that you shouldn't try to do SSL and non-SSL with the same IP/port combination. You also wouldn't be able to create two VIPs with the same IP and port.

On the second part, if I understand you correctly, you have a wildcard port VIP (ex. 1.1.1.1:0) so that you can accept port 80, 8080, and 443. The iRule for that might look like this:

when CLIENT_ACCEPTED {
    switch [TCP::local_port] {
        80 {
            pool my_80_pool
            SSL::disable clientside
        }
        8080 {
            pool my_8080_pool
            SSL::disable clientside
        }
        443 {
            pool my_443_pool
        }
        default {
            reject
        }
    }
}

Apply a client SSL profile to the VIP. It will be disabled if the client request port 80 or 8080, and any request on an undefined port will be rejected.

it seems that with this iRule, I can create one content using wild card service port (1.1.1.1:0) with client SSL and this iRule will cut my current 3 contents into one (taking care of 80, 8080, 443).. CORRECT?

Correct. One VIP with a client SSL profile. The iRule will send the traffic to the correct server pool based on incoming port and optionally disable the SSL profile if it's not a port 443 request.

does it matter what port I use for backend service? perhaps wildcard for that as well?

If you use a wildcard port, you'll also likely disable port translation on the VIP, meaning the request port will be what's used on the server side. If that's not the case, make sure port translation is enabled and create a single pool or three separate pools depending on where you want the traffic to go based on the client's request port.