How to configure a virtual server with serverssl profiles to talk to both HTTP and HTTPS backends?
In our F5 (version: 11.6.0) setup: 1. SSL is being terminated on the F5 end. 2. Connections on the serverside (to the backend pool) can be either HTTP or HTTPS. Each pool can contain backends that either "talk" plain HTTP or HTTPS (one or the other not both). 3. We have a policy attached to the Virtual Server (that's terminating SSL/TLS) that selects a backend pool based on the HTTP host header. Rule: http-host host equals forward select pool 4. The VirtualServer (terminating https) has both client and server ssl profiles. 5. The clientssl profiles serve the appropriate certs based on SNI - that part's working well. 6. For the backend HTTPS case, we have a serverside SSL profile created and attached to the Virtual Server. In addition, we needed to add a default serverside SSL profile created [default-serverssl] with the default SSL profile for SNI checkbox checked. Otherwise we couldn't add multiple serverside ssl profiles. Note: As you'd expect, there is no serverside SSL profile for the HTTP backend case (only exists if backend talks HTTPS). 7. The HTTPS backends serve certificates with the name matching what is set in the serverside SSL profile.
What we were looking to do was to have the virtual server talk HTTPS to backends with an serverside ssl profile (SNI matches) and falling back to talking HTTP if there was no profile?
Really SSL::{enable,disable} serverside based on a profile but were struggling to find the right combination of events/way to do this with an iRule. We did see that the "PROFILE::exists serverssl" and "PROFILE::serverssl name" are not properly set but I suspect it was because we looked at it at: when SERVER_CONNECTED { ... }
Having a default-serverssl profile does complicate things a bit plus its sort of a chicken-and-egg thingy, if we add any serverssl profiles, the F5 only talks HTTPS to the backends (because of the default-serverssl profile) and if we have none, then F5 only talks HTTP to the backends. We wanted a combination of both.
Any suggestions on how to do this would be greatly appreciated. Thanks in advance.