Forum Discussion

gwjr_105177's avatar
gwjr_105177
Icon for Nimbostratus rankNimbostratus
Apr 03, 2007

disabling SSL to one backend pool

I have a SSL Virtual server setup that will forward requests to one of 2 pools based on the Uri. Obviously I have setup a Client SSL profile on the Virtual Server but I also have a Server SSL profile setup on the Virtual Server as well as I would like to keep the connection from the F5 to one of the backend pools encrypted. The other pool I would rather not have SSL traffic to as it is serving mostly static content. So in essence:

 

 

Internet Client (SSL) https://dostuff.foo.com

 

|

 

V

 

F5 If uri starts with /secure

 

|

 

V

 

SSL pool (encrypted)

 

|

 

V else

 

Static pool (unencrypted)

 

 

Is there a way to do this so that it's SSL for the internet client all the way but selective on the backend? If I have to I'll make it all SSL on the backend but just trying to save some resources - here's the iRule I've been trying but currently I am getting a connection reset.

 

 

when HTTP_REQUEST {

 

set my_uri [string tolower [HTTP::uri]]

 

set usessl 0

 

if { $my_uri starts_with "/secure" } {

 

pool ssl__pool

 

set usessl 1

 

} else {

 

pool static_pool

 

}

 

}

 

 

when SERVER_CONNECTED {

 

if { $usessl == 0 } {

 

SSL::disable

 

}

 

}

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 04, 2007
    The rule looks correct.

     

     

    Do you get a reset for requests to both /secure and to other URIs? If you take the rule off and use client and server SSL for all requests, are all requests successful?

     

     

    Aaron

     

  • gwjr_105177's avatar
    gwjr_105177
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2007
    Yeah it seems I get resets for /secure as well. Interestingly when I moved everything to SSL connections for the static pool as well everything works fine. Also, removing the server SSL profile and having non-SSL requests to the backend servers worked as well. I'm going to continue to investigate.
  • Alok_3817's avatar
    Alok_3817
    Icon for Nimbostratus rankNimbostratus
    May 20, 2010
    Use this 

     
 when HTTP_REQUEST { 
 set my_uri [string tolower [HTTP::uri]] 
 if { $my_uri starts_with "/secure" }  
 { 
 pool ssl__pool 
 }  
 else  
 { 
 SSL::disable serverside 
 pool static_pool  
 } 
 }

    Looks like when you are using the SSL::disable alone, it is killing the Client SSL, (which is the default),

    Client <--Encrypted--> | F5 (VS) ( iRule ) (POOL) F5 | <---Encrypted ---> Server (in SSL pool)

    Client <-- Not Encrypted--> | F5 (VS) ( iRule ) (POOL) F5 | <--- Not Encrypted ---> Server (in Static pool)

    From your requirements i thought you needed

    Client <-- Encrypted--> | F5 (VS) ( iRule ) (POOL) F5 | <--- Not Encrypted ---> Server (in Static pool)

    The Above iRule should help

    Do let us know