Forum Discussion
NimbostratusHelp disabling SSL encryption on VS using SSL offload per host name
Hello everyone...I'm no F5 expert but you know how it is...I get volunteered for iRule work. :(
I have a VS that is using a wildcard cert, and the the thought is to point about 5 sites to the one VS. I created an iRule that directs traffic to pool per host name. That is working fine.
The problem is we have some sites that use sites stacked under one website that gets cranky with SSL offload. My thought is to disable SSL offload for specific sites and let the server handle the SSL. I started an iRule that looks like this...I tried to rename the company stuff so hope I didn't make it confusing to read. Any help is appreciated.
The VS is configured with SSL Client Profile and HTTP Profile.
when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "no.ssloffload.com")} { SSL::disable clientside pool pool_no.ssloffload.com} if {([string tolower [HTTP::host]] contains "ssloffload") } { set ssloffload_pool pool_[HTTP::host] if {[ catch {pool $ssloffload_pool} ]} { discard log local0. "Pool $ssloffload_pool does not exist. Discarding request." } else { use pool $ssloffload_pool log local0. "Successfully assigned pool $ssloffload_pool." } } else { discard } }
~David
1 Reply
- Kevin_Stewart
Employee
This is generally not possible in the HTTP context. By the time you get to layer 7 HTTP evaluation, the layer 5/6 SSL has already happened. You would necessarily need to enable/disable SSL processing at layer 3/4 (IP subnets) or potentially at layer 5/6 SSL. The SSL layer switching would be a bit more complicated, and would rely on the client's ability to send the server name in the CLIENTHELLO message - a function of the TLS protocol. Older clients (ie. WinXP and earlier) would not be able to do this.
Optionally, you could simply re-encrypt to the server side, based on the Host header. Your above iRule would then work if you changed "clientside" to "serverside".
