Forum Discussion
Hi guys,
Thanks for your replies on this topic but I've actually run into another hurdle. Forgive me for not explaining this very well as I'm new to F5 and LoadBalancing in general.
What the Dev's are asking for which I'm not even sure is possible is the following:
1) Two Virtual Servers that share the same IP 2) Both need to be able to "pass" SSL traffic to back end Servers running IIS (It's the same site name on both IIS configurations but on different physical servers, because one is designed in .net Core and the other one isn't.) 3) They want to pass only certain SSL content to one VS and other SSL content to another based on what the uri ends with. For example (/svc/test.asp)
Based on those requirements, I decided to setup the Virtual Servers so that both share the same IP but one is using Service Port 80 and the other is Service Port 443, because of course it errors if I try to make them the same service port.
The Virtual Server that is using Service Port 443 has an SSL profile and I'm terminating the cert on the F5. The pool assigned to it is called PoolDevCCEhttps and only has one member.
The Virtual Server that is using Service Port 80 has it's SSL certificate terminating on the IIS webserver. The pool assigned to it is called PoolDevCCE and only has one member.
On the Virtual Server that is using Service Port 443 I've added the following iRule to its resources. Hoping that when I try access the site using https that the F5 would send the traffic to the pool (PoolDevCCE):
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/svc/CCEUserMonitor.asp" { pool PoolDevCCE } } }
Results of this config:
1) When I navigate to the site using https it goes to pool PoolDevCCEhttps (works as expected) 2) When I navigate to the site using http it goes to pool PoolDevCCE (works as expected) 3) When I navigate to the site using https including /svc/CCEUserMonitor.asp I'm getting a blank white screen and it appears to be using pool PoolDevCCEhttps because I see the cert I terminated on the F5.
See the problem that I have is that if this is how they want it to work in production I don't think the 301 is an option being that both servers have the same site name??
You don't need 2 VS.
You need 1 VS listening on port 443 with SSL terminated on the F5.
You need 2 pools - one for .net and another for non-.net
Use an iRule like this:
when HTTP_REQUEST {
if { [HTTP::uri] eq "" } {
pool POOL_FOR_DOTNET
} else {
pool POOL_FOR_NOT-DOTNET
}
}