Forum Discussion
Cirrostratushttp and https members in one pool
Hi,
I wonder if there is a way to set pool so it has one member using http and another https. I am pretty sure it's not possible via VS settings as ServerSSL is global for VS - so either traffic to all pool members is encrypted or not.
However I hope it could be done using iRule - I will appreciate any ideas, resources pointing into right direction how such iRule should look like.
Piotr
2 Replies
- Kai_Wilke
MVP
Hi Piotr,
a pool is just a dump collection of IP:Port combinations, so you can mix :80 and :443 as you want. You can even pool different instances of the same node into one pool...
You're right, that you have to use an iRule to selectively control the server side SSL Profile. I guess using the
in combination with the[TCP::remote_port]
or[SSL::enable]
command would be an good way to distinguish between the different types of pool members. So you may try this snippet as a starting point...[SSL::disable]when SERVER_CONNECTED { if { [TCP::remote_port] equals "443" } then { SSL::enable serverside } else { SSL::disable serverside } }Cheers, Kai
- Kai_Wilke
Hi Piotr,
although LTM Policies do have a support for enable/disable Server SSL Profiles, I do strongly believe that LTM Policies can't be used for this specific scenario. In addition to that, do I believe that LTM Policies in its current implementation are performance wise rather suboptimal to control Server SSL Profiles. The reasons for that are...
-
LTM Policies are proccessed before the actual LB selection is completed. So you wont get the chance to grap the port number of the selected pool to selectivly disable/enable the Server SSL Profile.
-
LTM Policies would reenable/redisable the SSL Profile on each single request, where iRule can be adjusted to use ideally the
event, to perform the required action only once during server side connection establishment (aka. OneConnect anyone?)SERVER_CONNECTED
Cheers, Kai
-
