For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Asif_Iqbal_2148's avatar
Asif_Iqbal_2148
Icon for Nimbostratus rankNimbostratus
Mar 11, 2016

How to allow both HTTP and HTTPS traffic from a single VIP?

Hi all,   We have a VIP setup for SSL bridging i.e. client-->443-->F5-->443-->backend servers and we want to allow both http and https traffic through the same VIP. Also, I am new to F5 so any hel...
application delivery
LTM
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 11, 2016

I'd recommend two Virtual Servers instead - one for port TCP 80, another for port TCP 443. It's a straight-forward setup which is a much preferred configuration over a wildcard Virtual Server. It's not a bad idea to go for a wildcard VS if the number of ports is significant (i.e. a few hundred), but I see no good reason for a single VS setup if you're just working with two ports (80 and 443).

 

If you insist on using a single VS for whatever reason, just configure it as L4 Performance (or Standard) Type Virtual Server with port number set to *. Do not apply HTTP profile. Now the main question is, if you accept clientside TCP port 80 connections, do you want the serverside connections to be routed to Pool-Member:443, or Pool-Member:80? Depending on your requirements, you may need to use an iRule (CLIENT_ACCEPTED event) or LTM Local Trafic Policy to select the appropriate destination.

 

As you set VS port number to * (any), you also want to make sure you do not allow incoming requests to other ports besides TCP 80 and 443. For that, you must fine-tune the pool-selection Policy/iRule to drop packets to irrelevant ports. Luckily, that's not very hard to do either. Just let us know if you need help with anything.

 

Regards,

 

Asif_Iqbal_2148's avatar
Asif_Iqbal_2148
Icon for Nimbostratus rankNimbostratus
Mar 11, 2016
Thanks for your reply Hannes!!! Well currently we have a single 443 VIP with only Pool-member:443 no Pool-member:80. So when we access the application either with http://xyz.net or https://xyz.net it is getting redirected to the https which is normal. The thing they wanted is to allow both http and https traffic through i.e. it gets redirected to http and https both. Being a production setup I cannot play with it as I am new to the F5 tech. Also, help me with the irule for this scenario and the things required from the server team. Please let me know if anything is not clear from my side so far. Any help would be highly appreciated. regards!!!