Forum Discussion

dwillis619_3073's avatar
dwillis619_3073
Icon for Nimbostratus rankNimbostratus
May 26, 2017

Dynamically remove serverssl profile

My question is how the iRule should look to dynamically remove the serverssl profile when traffic goes to pool using 80. I have a pool with a WAF and a real server set in priority groups with the WA...
application delivery
iRules
dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 27, 2017

Hi,

I assume your config is like that:

  • VS
    • IP:443
    • clientssl profile
    • serverssl profile
    • Pool
      • member_WAF - IP:80, priority 100, default target for traffic, should receive unencrypted traffic
      • member_srv - IP:443, priority 10, backup target, should receive encrypted traffic

If it's the case try this iRule

when CLIENT_ACCEPTED {
    SSL::disable serverside
    set https 0
}

when LB_SELECTED {
    set https [expr {[LB::server port] == 443}]
}

when SERVER_CONNECTED {
    if { $https } {
        SSL::enable serverside
    }
}

It will disable serverssl by default in CLIENT_ACCEPTED as most often traffic will go to HTTP member. If however LB selects member with port 443 (so your backend srv instead of WAF) then serverssl profile is enabled before starting TCP session on server side.

Piotr