Forum Discussion
Patrick_McGlyn1
Nimbostratus
NimbostratusDisable SSL in an iRule
How would you disable SSL termination on the F5 in an irule if you have an SSL client profile defined on a virtual server?
2 Replies
- JRahm
Admin
SSL::disable. Search for this in the forums, there are plenty of examples on conditions where this is necessary. - Hi,
I'm trying to get this working myself without much luck. Looks like someone else has in this post: [link]http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=11935[/link]
I'm doing the exact same thing. What I want is to disable ClientSSL and HTTP processing if the traffic originates from a specific set of IPs; in that case we'll handle SSL at the server and use sourceIP persistence. For other addresses we want LTM to handle the SSL and do cookie persistence.
Version is 9.4HF1. I have a clientssl and http profile associated with the VIP. No persistence profile at the moment, but I initially tried it with an http cookie insert profile associated as well.
Here's the iRule:when RULE_INIT { set HTTPDisable 0 log local0. "RuleInit, HTTPDisable: $HTTPDisable" } when CLIENT_ACCEPTED { global HTTPDisable if { not[matchclass [IP::client_addr] equals $::BigClientNets] } { log local0. "Client: [IP::client_addr] not in list, disabling ClientSSL on LTM" SSL::disable log local0. "Disabling http" set HTTPDisable 1 HTTP::disable log local0. "HTTPDisable: $HTTPDisable." log local0. "Setting SrcIP Pesistence" persist source_addr 1800 log local0. "Using pool myssl for client: [IP::client_addr]" pool myssl } else { log local0. "Client: [IP::client_addr] in list, handling clientssl at LTM" } } when HTTP_REQUEST { global HTTPDisable log local0. "HTTP_Request" if { $HTTPDisable } { log local0. "Disable: $HTTPDisable" HTTP::disable } } when LB_SELECTED { log local0. "Selected node: [LB::server]" } virtual bufviphttps { pool webpool destination 10.30.1.2:443 ip protocol 6 rules SrcIP_SSL_Disable profiles myclientssl myhttp tcp }
Things work fine when I find an address in the list and allow the default profiles to handle ClientSSL. When I don't match, the SSL::disable/HTTP::disable execute but don't seem to be working. However, at the client I don't see a cert popup, the HTTP_REQUEST and LB_SELECTED events never fire, and as such nothing gets sent to the server.
The Wiki implies the HTTP::disable command is only valid in HTTP events, but the above referenced post implies it works in CLIENT_ACCEPTED.
Here are the log messages from real traffic:
Apr 4 00:24:59 tmm tmm[1424]: Rule : RuleInit, HTTPDisable: 0
Apr 4 00:25:58 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.2.4 in list, handling clientssl at LTM
Apr 4 00:26:05 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request
Apr 4 00:26:11 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Selected node: webpool 10.30.2.251 80
Apr 4 00:26:15 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTP_Request
Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Client: 10.30.11.11 not in list, disabling ClientSSL on LTM
Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Disabling http
Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : HTTPDisable: 1.
Apr 4 00:27:41 tmm tmm[1424]: Rule SrcIP_SSL_Disable : Using pool myssl for client: 10.30.11.11
TIA,
Wes
