For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tony_Hobson_189's avatar
Tony_Hobson_189
Icon for Nimbostratus rankNimbostratus
Nov 03, 2015

How to specify protocol in iRule

Hello all

I'm trying to swap a pool resource and also protocol in an iRule but not sure how to do this. The environment I have is:

http://www.example.com gets routed to

PRES layer F5 (11.6) VS: 172.16.10.1:80

pool1 Node1: 172.16.15.1:80 Node2: 172.16.15.2:80

pool2 Node1: 172.16.50.1:9443

APP layer F5 (11.6) VS: 172.16.50.1:9443

pool5 Node1: 172.16.55.1:9443 Node2: 172.16.55.2:9443

I have an iRule on the PRES F5 that inspects the URI:

if {([string tolower [HTTP::uri]] starts_with "/logon/")} {
  pool pool2
  }

The idea is so all logon requests are served by pool5 in the APP layer - there is an SSL cert on each node of pool5. I have had this working OK when the servers are all HTTP and there is no SSL involved.

If I hit https://172.16.50.1:9443/logon/landing.htm in a browser, I get the site OK but I cannot get to the site if I browse to http://172.16.10.1/logon/landing.htm

It's as if the PRES F5 is not performing the SSL handshake like the browser is. Or am I missing something in the iRULE, so when I perform the pool switch, I also need to tell the request to switch to HTTPS?

Any pointers would be great.

Thanks

Tony

application delivery
cloud
design
devops
iRules
LTM
virtualization
vmware

1 Reply

  • cdougall_14195's avatar
    cdougall_14195
    Icon for Cirrus rankCirrus
    Nov 03, 2015

    Okay. so you have a couple of things going on here.

    You have an HTTP (No SSL) virtual that you're connecting to and want to send to one of two back end pools depending on URL. One of those pools, POOL1, is also a non SSL connection, but POOL2 wants SSL.

    The problem that you're running into is that the traffic to POOL2, even though it's on tcp9443, is still no encrypted. There are a couple of ways to do this, and since it seems like you're really wanting to tie this into the app-layer, it might make sense to either use a redirect or a virtual.

    The whole point of the virtual is to apply the server side ssl, and at the same time, only apply it when it's needed for pool2. Something to remember, though, the client side connection will still be in the clear. 

    ltm virtual pool2-virtual {
destination 192.168.100.100:http
ip-protocol tcp
mask 255.255.255.255
pool pool2
profiles {
    default-http-profile { }
    default-oneconnect-profile { }
    default-tcp-lan-optimized-default {
        context clientside
    }
    default-tcp-wan-optimized-default {
        context serverside
    }
    serverssl {
        context serverside
    }
}
source-address-translation {
    type automap
}
vs-index 3
}

    At that point, the iRule on the existing virtual would change to :

    if {([string tolower [HTTP::uri]] starts_with "/logon/")} {
  virtual pool2-virtual
}

    Or, alternatively, just create a new pool and listener for that server for a non SSL port.