Forum Discussion
Jason_Hook_4092
Nimbostratus
NimbostratusExpose pool member in response
I would like to expose which pool member responded to the request for tracking within TrueSight in front of the VIP.
This is what I feel will work, but I'd like some feedback whether this is clean and if I can add this on to VIPs that already have iRules on them. I don't have much experience with multiple iRules on a VIP and would like to know if this would interfere with others.
LTM v10.0.1
when HTTP_RESPONSE {
Remove header if already existing to keep from getting dups
HTTP::header remove "serverIP"
Insert header with responding server IP
HTTP::header insert "serverIP" [IP::server_addr]
}
19 Replies
- Chris_Miller
Altostratus
Posted By Jason Hook on 01/12/2011 08:29 AM
If you have the server defined to the pool on 443 but do not have a ServerSSL profile configured, the request gets dropped on the floor and you don't get a response. Without a ServerSSL profile the back-side of the VIP can't handle the SSL handshake to the server.
That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?" 
Jason_Hook_4092It was trial and error for me.- JRahm
Admin
Posted By Chris Miller on 01/12/2011 08:32 AM
That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?"
Nothing. Only specification of a serverssl profile will initiate an ssl handshake from the LTM. - Chris_MillerPosted By Jason Rahm on 01/12/2011 08:40 AM
Posted By Chris Miller on 01/12/2011 08:32 AM
That's where I was confused. What in the LTM's config is saying "if pool member is 443, you must connect to it over SSL?"
Nothing. Only specification of a serverssl profile will initiate an ssl handshake from the LTM.
So would you expect pool members listening on 443 to accept clear text or would Apache/IIS not allow such a thing? It'd be the equivalent of saying "http://sample.com:443" 
fujisenWe have tons of HTTPS vip without Client SSL or even Server SSL but working fine, do you think these are working on clear text ? god help us..- Chris_MillerPosted By fujisen on 01/12/2011 08:47 AM
We have tons of HTTPS vip without Client SSL or even Server SSL but working fine, do you think these are working on clear text ? god help us..
In that case, the pool member is doing the SSL termination so it's SSL end-to-end. In the scenario we're discussing, LTM does the termination and sends cleartext to the pool member over 443. - JRahmWhat I'm saying is that there is nothing in LTM that commands you to use an serverssl profile on pool members listening on port 443. That is a well-accepted SSL port, but if you have a pool member listening on port 443 that is serving FTP, it wouldn't make much sense to try to speak ssl. Match the protocol to the server protocol, whatever that is. Many people obfuscate services by using non-standard ports.
Matt_Breedlove_
Related to exposing a pool member in response. So far the suggestion is to insert an HTTP header in the response.
What about adding an html comment into the returned markup? Is there a clean way to do this without having to be concerned with re-chunking compatibility exactly much as I do now without it on v9 or v10?
Basically a comment like this at the top of the page returned- You could certainly add an HTML comment, though you would risk rechunking, certainly. This would also require that you're terminating SSL on the LTM as with the header, since you can't modify any SSL content inline without decrypting first.
Colin
