Forum Discussion
NimbostratusDynamically remove serverssl profile
My question is how the iRule should look to dynamically remove the serverssl profile when traffic goes to pool using 80. I have a pool with a WAF and a real server set in priority groups with the WAF being the priority (100) and real server secondary (10). The WAF accepts port 80 but if the WAF is not available traffic will forward directly to the real server using port 443. I read best practice is to have serverssl applied to VIP and have iRule strip it away instead of adding it when needed. Here is the syntax of the iRule that I beleive may work and looking for confirmation and adjustments. Thanks
when CLIENT_ACCEPTED { if { [TCP::local_port] == 80} { SSL::disable pool myPool } elseif { [TCP::local_port] == 443 } { pool myPool } else { discard } }
AneshCirrostratus
Some suggestions:
when CLIENT_ACCEPTED { if { [TCP::local_port] == 80} { SSL::disable pool myPool_80 } elseif { [TCP::local_port] == 443 } { SSL::enable pool myPool_443 } }
dragonflymrHi,
I assume your config is like that:
-
VS
- IP:443
- clientssl profile
- serverssl profile
-
Pool
- member_WAF - IP:80, priority 100, default target for traffic, should receive unencrypted traffic
- member_srv - IP:443, priority 10, backup target, should receive encrypted traffic
If it's the case try this iRule
when CLIENT_ACCEPTED { SSL::disable serverside set https 0 } when LB_SELECTED { set https [expr {[LB::server port] == 443}] } when SERVER_CONNECTED { if { $https } { SSL::enable serverside } }It will disable serverssl by default in CLIENT_ACCEPTED as most often traffic will go to HTTP member. If however LB selects member with port 443 (so your backend srv instead of WAF) then serverssl profile is enabled before starting TCP session on server side.
Piotr
-
VS