Disable SSL in an iRule

SSL::disable. Search for this in the forums, there are plenty of examples on conditions where this is necessary.

Hi,

I'm trying to get this working myself without much luck. Looks like someone else has in this post: [link]http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=11935[/link]

I'm doing the exact same thing. What I want is to disable ClientSSL and HTTP processing if the traffic originates from a specific set of IPs; in that case we'll handle SSL at the server and use sourceIP persistence. For other addresses we want LTM to handle the SSL and do cookie persistence.

Version is 9.4HF1. I have a clientssl and http profile associated with the VIP. No persistence profile at the moment, but I initially tried it with an http cookie insert profile associated as well.

Here's the iRule:

when RULE_INIT {
   set HTTPDisable 0
   log local0. "RuleInit, HTTPDisable: $HTTPDisable"
}
when CLIENT_ACCEPTED {
    global HTTPDisable
    if { not[matchclass [IP::client_addr] equals $::BigClientNets] } {
        log local0. "Client: [IP::client_addr] not in list, disabling ClientSSL on LTM"
        SSL::disable
        log local0. "Disabling http"
        set HTTPDisable 1
        HTTP::disable
        log local0. "HTTPDisable: $HTTPDisable."
        log local0. "Setting SrcIP Pesistence"
        persist source_addr 1800
        log local0. "Using pool myssl for client: [IP::client_addr]"
        pool myssl
    }
    else {
        log local0. "Client: [IP::client_addr] in list, handling clientssl at LTM"
    }
}
when HTTP_REQUEST {
    global HTTPDisable
    log local0. "HTTP_Request"
    if { $HTTPDisable } {
        log local0. "Disable: $HTTPDisable"
        HTTP::disable
    }
}
when LB_SELECTED {
  log local0. "Selected node: [LB::server]"
}
virtual bufviphttps {
   pool webpool
   destination 10.30.1.2:443
   ip protocol 6
   rules SrcIP_SSL_Disable
   profiles
      myclientssl
      myhttp
      tcp
}

Things work fine when I find an address in the list and allow the default profiles to handle ClientSSL. When I don't match, the SSL::disable/HTTP::disable execute but don't seem to be working. However, at the client I don't see a cert popup, the HTTP_REQUEST and LB_SELECTED events never fire, and as such nothing gets sent to the server.

The Wiki implies the HTTP::disable command is only valid in HTTP events, but the above referenced post implies it works in CLIENT_ACCEPTED.

Here are the log messages from real traffic:

Apr 4 00:24:59 tmm tmm[1424]: Rule : RuleInit, HTTPDisable: 0

Apr 4 00:25:58 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM

Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request

Apr 4 00:26:11 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80

Apr 4 00:26:15 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request

Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.11.11 not in list, disabling ClientSSL on LTM

Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Disabling http

Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTPDisable: 1.

Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Using pool myssl for client: 10.30.11.11

TIA,

Wes