For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shuvo_166796's avatar
Shuvo_166796
Icon for Nimbostratus rankNimbostratus
Aug 14, 2014

Force SSL Profile Based on URL

I've a requirement to force SSL profile based on URL. I've created two different client SSL profile i.e. wildcard_ssl & wildcard_ssl_strong. Then I tried to create an iRules contains the following:

when CLIENT_ACCEPTED {

if { [string tolower [HTTP::uri]] starts_with "/cipher" }{

SSL::profile therapbd_wildcard_ssl_strong

} else {

SSL::profile therapbd_wildcard_ssl

}

}

when HTTP_REQUEST {

SSL::renegotiate

}

But I'm getting "line 2: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::uri]".

My goal is when people visit my site through secure.mydomain.com they would use the DEFAULT ciphers and when the visit through secure.mydomain.com they would use the DEFAULT ciphers except with !RC4:!SSLv2:@STRENGTH option. Is there any way to achieve this other than using SSL::profile?

application delivery
devops
iRules
LTM

8 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 14, 2014

    Hi,

     

    You may use SNI (Server Name Indication) to select a SSL Profile regarding the Hostname.

     

    But not sure you can force different SSL profile based on URI.

     

    BR

     

    Yann

     

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Aug 14, 2014

    To support Yann - CLIENT_ACCEPTED is triggered when the first SYN is received (so no time to look at HTTP request information as the SSL has not even been negotiated yet), and if SSL had been negotiated it's too late to assign a new SSL profile. So take a look at [https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication] (https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication).

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 15, 2014

    Hi,

    maybe you can try something like this :

      when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/securearea/" } {
      HTTP::collect
      SSL::session invalidate
      SSL::profile ssl_profile2
      SSL::renegotiate enable
      SSL::renegotiate
  }
}

    Yann

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Aug 15, 2014

    Hi,

    maybe you can try something like this :

      when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/securearea/" } {
      HTTP::collect
      SSL::session invalidate
      SSL::profile ssl_profile2
      SSL::renegotiate enable
      SSL::renegotiate
  }
}

    Yann

  • Shuvo_166796's avatar
    Shuvo_166796
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2014

    Thanks a lot Yann for the solution and nitass for testing it out! My Father is sick and hospitalized hence I couldn't get back to you guys earlier. I'll try this and get back to you soon. Once quick & possibly dumb question! Is there any chance that this rule might conflicts with session persistance?

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 19, 2014

    I would say no. Unless you do SSL persistence.

     

    But there should be no changes if you set cookie or source based persistence.

     

    Good luck