For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mbayer_236661's avatar
mbayer_236661
Icon for Nimbostratus rankNimbostratus
Dec 07, 2015

HTTP going to Pool81 and everything else going to HTTPS on elsePool on Same VIP

I have an application that will need to resolve to the same DNS/VIP -- I would like to have HTTP on say /status route to an Apache listing on port81, and everything else coming in on that same VIP IP...
application delivery
BIG-IP
iRules
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Dec 07, 2015

Hi,

here is a modified excerpt from the iRule I used for a clients Exchange environment: 
when CLIENT_ACCEPTED {
    switch [TCP::local_port] {
        81  {
             Cleartext HTTP traffic (redirect into https)
            SSL::disable clientside
            pool defaultPool
            return
        }
        443 {
             Encrypted HTTP traffic (decrypt, forward to pool)
            pool elsePool
            return
        }
        default {
             Reject everything else
            reject
            return
        }
    }
}

The associated virtual server has a client-ssl profile and optionally a server-ssl profile depending on your specific requirements.

The virtual server works in mode of "Standard" and uses TCP and has a port of "0" to listen on all service ports.

The pools will be configured with specific ports.

In case of incoming traffic on TCP/81 the client-ssl profile will be disabled by the iRule.

In case of incoming traffic on TCP/443 the virtual servers client-ssl profile will kick in and terminate SSL before forwarding traffic to the elsePool.

Btw, the original iRule has more use cases and turns http profile on and off, modifies persistence methods and rewrites redirects.

(In production since a couple of months instead of using the approach described in the deployment guide.)

Thanks, Stephan