How do i convert this irule to use HTTPS instead of HTTP

Wait.. I'm confused.

 

 

To terminate SSL on the F5's, you should have two virtual servers, correct? 1 that is listening on port 80, and another on port 443 (with the SSL client profile associated with it).

 

 

If you have inbound connections into the VS listening on port 80 (http). The iRule is very, very simple;

 

 

when HTTP_REQUEST {

 

redirect https://[HTTP::host]/[HTTP::uri]

 

}

 

 

On your SSL protected virtual server is where you would select pools;

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/nexusclient/login.aspx" } {

 

pool

 

} elseif { [HTTP::uri] starts_with "/site/blah/blah/login.aspx" } {

 

pool

 

} else {

 

reject

 

}

 

}

 

 

 

If you have inbound connections from clients comming in on port 81 and port 90, just create two new virtual servers using the same IP addresses as the :80 and :443 ones use, but listening on :81 and :90. You don't even need an iRule in this case, just make the last-hop-pool for the VS on :81 "EDG-LIVE-PRE-81-TEST1-PL", and the last-hop pool on the :91 virtual server as "EDG-LIVE-PRE-CLT-90-TESET1-PL".

 

 

If you need those :81 and :90 virtual servers to be SSL protected, just install a SSL client profile on each virtual server, or just let it pass right on through if the SSL is being terminated back in your pool.

 

 

So, for arguments sake let's assume you want inbound connections on 127.0.0.1. You'd have the following setup:

 

 

1. Virtual Server 1, Listening on 127.0.0.1:80, using the HTTPS redirection iRule.

 

2. Virtual Server 2, Listening on 127.0.0.1:443, using the URL-based pool selection iRule, and a client-ssl profile with the proper key/cert associated with it.

 

3. Virtual Server 3, Listening on 127.0.0.1:81, with no iRule at all, just a last-hop pool configured.

 

4. Virtual Server 4, Listening on 127.0.0.1:90, again with no iRule, just a single last-hop pool configured.

 

 

So if user went to: http://127.0.0.1/whatever, they would automatically be redirected to https://127.0.0.1/whatever.

 

If user went to http://127.0.0.1:81/whatever, they would wind up in the :81 last-hop pool.

 

If user went to http://127.0.0.1:90/whatever, they would wind up in the :90 last-hop pool.

 

 

If you wanted those last two on :81 and :90 to be SSL protected, create a SSL client profile with the proper key/cert and associate it with each virtual server (3 and 4 from the example above). In that case;

 

 

If user went to http://127.0.0.1:81/whatever, the connection would be rejected.

 

If user went to https://127.0.0.1:81/whatever, the connection would be allowed and passed on to a member in the configured last-hop pool.

 

 

Same for :90..

 

 

 

That work? Or were you looking for something else?

Hi Ovdemonz,

The way you are using your VS seems a bit odd to me. Why couldn't you create VS in the following

VS 1 1.1.1.1:80 ---> Pool 3.3.3.3:80

VS 2 1.1.1.1:443---> Pool 3.3.3.3:443

VS 3 1.1.1.1:4343---> Pool 3.3.3.3:4343

Then you can create an irule and apply it on VS 1 and 2

 
 when HTTP_REQUEST { 
      switch -glob [HTTP::host] { 
     "*.site.com" { HTTP::redirect "https://www.site.com:4343" } 
     default { pool pool_A } 
     } 
 } 
 

Of course I am making assumptions about why you would create a VS:0 wildcard vs specific VS:80, 443, 4343

hope this helps

CB

Hi DaveClark15,

 

Can you post the the structure of your VIP and pool configuration? It would make it easier to understand why you would need 2 separate iRules doing the same thing.

 

 

CB