For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daveclark_20228's avatar
daveclark_20228
Icon for Nimbostratus rankNimbostratus
Jun 10, 2009

How do i convert this irule to use HTTPS instead of HTTP

Hello     I have this 2 irules , one is to redirect on port and one to redirect on uri. Both are to do the same thing .     I have 2 apps both listen out on https , and terminat...
application delivery
dev
devops
iRules
jeff_mccombs_47's avatar
jeff_mccombs_47
Icon for Nimbostratus rankNimbostratus
Jun 11, 2009
Wait.. I'm confused.

 

 

To terminate SSL on the F5's, you should have two virtual servers, correct? 1 that is listening on port 80, and another on port 443 (with the SSL client profile associated with it).

 

 

If you have inbound connections into the VS listening on port 80 (http). The iRule is very, very simple;

 

 

when HTTP_REQUEST {

 

redirect https://[HTTP::host]/[HTTP::uri]

 

}

 

 

On your SSL protected virtual server is where you would select pools;

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/nexusclient/login.aspx" } {

 

pool

 

} elseif { [HTTP::uri] starts_with "/site/blah/blah/login.aspx" } {

 

pool

 

} else {

 

reject

 

}

 

}

 

 

 

If you have inbound connections from clients comming in on port 81 and port 90, just create two new virtual servers using the same IP addresses as the :80 and :443 ones use, but listening on :81 and :90. You don't even need an iRule in this case, just make the last-hop-pool for the VS on :81 "EDG-LIVE-PRE-81-TEST1-PL", and the last-hop pool on the :91 virtual server as "EDG-LIVE-PRE-CLT-90-TESET1-PL".

 

 

If you need those :81 and :90 virtual servers to be SSL protected, just install a SSL client profile on each virtual server, or just let it pass right on through if the SSL is being terminated back in your pool.

 

 

So, for arguments sake let's assume you want inbound connections on 127.0.0.1. You'd have the following setup:

 

 

1. Virtual Server 1, Listening on 127.0.0.1:80, using the HTTPS redirection iRule.

 

2. Virtual Server 2, Listening on 127.0.0.1:443, using the URL-based pool selection iRule, and a client-ssl profile with the proper key/cert associated with it.

 

3. Virtual Server 3, Listening on 127.0.0.1:81, with no iRule at all, just a last-hop pool configured.

 

4. Virtual Server 4, Listening on 127.0.0.1:90, again with no iRule, just a single last-hop pool configured.

 

 

So if user went to: http://127.0.0.1/whatever, they would automatically be redirected to https://127.0.0.1/whatever.

 

If user went to http://127.0.0.1:81/whatever, they would wind up in the :81 last-hop pool.

 

If user went to http://127.0.0.1:90/whatever, they would wind up in the :90 last-hop pool.

 

 

If you wanted those last two on :81 and :90 to be SSL protected, create a SSL client profile with the proper key/cert and associate it with each virtual server (3 and 4 from the example above). In that case;

 

 

If user went to http://127.0.0.1:81/whatever, the connection would be rejected.

 

If user went to https://127.0.0.1:81/whatever, the connection would be allowed and passed on to a member in the configured last-hop pool.

 

 

Same for :90..

 

 

 

That work? Or were you looking for something else?