Forum Discussion
Lance_Simon_557
Mar 22, 2008Historic F5 Account
Fallback URL for SSL pass through
I'd like to have a fallback url to send traffic to if I do not have any pool members available for my "pass through" SSL VIP. I was thinking that this might work, but I was wrong:
when CLIENT_ACCEPTED {
if {[active_members https_pool] < 1}{
HTTP::redirect "https://abc.123.com"
}
}
Because I'm passing ssl through the BigIP, not terminating on the LTM, I cannot use an HTTP profile to take care of this for me.
Any assistance would be appreciated.
12 Replies
- The_Bhattman
Nimbostratus
Not sure if this going to help but have you tried using the followingwhen CLIENTSSL_HANDSHAKE { if { [active_members https_pool] > 1 } { HTTP::redirect "https://abc.123.com" } }
when SERVERSSL_HANDSHAKE { if { [active_members https_pool] > 1 } { HTTP::redirect "https://abc.123.com" } }
- Lance_Simon_557Historic F5 AccountThanks, but it doesn't work either. I just got the "command is not valid in current event context" message when trying to enter via the GUI.
- csc_18168
Nimbostratus
In a passthrough SSL virt will there be any handshake that the BigIP knows about? - The_Bhattman
Nimbostratus
No it won't determine that for a ssl passthrough, atleast not from the tests that I have done. The problem is that in order for this to work, ssl has to be decripted before the irules can process it for the HTTP::redirect command - Nicolas_Menant
Employee
Hi, - The_Bhattman
Nimbostratus
Maybe there will be a way to present some more options in future releases. - Nicolas_Menant
Employee
Not for such a thing. - csc_18168
Nimbostratus
in 4.x you can tell the configs for the pool to do a fallback host, and it doesn't care anything about http/https/etc. So this is somewhat of a regression as it pertains to how we did things in 4.x compared to 9.x, we lost that flexibility. - Nicolas_Menant
Employee
you can configure a fallback host within an HTTP profile in v9.X - hoolio
Cirrostratus
If you're able to import the SSL cert and key to the BIG-IP, you could use a rule to check whether there are any members available in the pool. If there are members available, the requests would be passed through the BIG-IP without trying to decrypt the HTTPS. If no members are available, you could use the cert/key to decrypt the traffic and send an HTTP redirect. The VIP configuration would need a client SSL profile and an HTTP profile.when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Received connection with active members: [active_members [LB::server pool]]" Check if there are members available in the VIP's default pool if {[active_members [LB::server pool]]}{ Disable the client SSL profile so the HTTPS traffic is passed through encrypted to the node SSL::disable Disable the HTTP profile as we're not going to redirect this request HTTP::disable log local0. "[IP::client_addr]:[TCP::client_port]: Members available" } } when HTTP_REQUEST { The HTTP_REQUEST event is only triggered if the pool members are down and the client SSL and HTTP profiles are left enabled Redirect the client HTTP::redirect https://maintenance.example.com log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request" }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects