For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luis_Ribeiro's avatar
Luis_Ribeiro
Icon for Nimbostratus rankNimbostratus
Dec 20, 2017

HTTPS does not hit iRule

Hi,

I'm to implement an iRule for HTTPS. The iRule is:

when HTTP_REQUEST { 
     HTTPS ------------------------------------------------------------------------
    log local0. ".TESTE HTTPS: [IP::client_addr] -> [IP::local_addr] HOST:[HTTP::host] PATH:[HTTP::path] [HTTP::uri] [TCP::local_port]"  
    if { [string tolower [HTTP::host]] contains "xpto.com"  } {  
        log local0. ".TESTE HTTPS.IF: [IP::client_addr] -> [IP::local_addr] [HTTP::host] [HTTP::uri] [TCP::local_port]"  
        switch -glob [string tolower [HTTP::uri]] {   
            "/index1.php"  {    
        persist source_addr 255.255.255.255 1800   
                log local0. ".TESTE index1: [IP::client_addr] -> [IP::local_addr] [HTTP::host] [HTTP::uri] [TCP::local_port]"   
                node "10.1.144.100:[TCP::local_port]"   
            }   
            "/index3.php"  {    
        persist source_addr 255.255.255.255 1800   
                log local0. ".TESTE index2: [IP::client_addr] -> [IP::local_addr] [HTTP::host] [HTTP::uri] [TCP::local_port]"   
                node "10.1.144.101:[TCP::local_port]"   
            }   
            "/index3.php"  {    
        persist source_addr 255.255.255.255 1800   
                log local0. ".TESTE /index3: [IP::client_addr] -> [IP::local_addr] [HTTP::host] [HTTP::uri] [`TCP::local_port]"   
                node "10.1.144.102:[TCP::local_port]"   
                log local0. ".TESTE index3: [IP::client_addr] -> [IP::local_addr] [HTTP::host] [HTTP::uri] [TCP::local_port]"   
            }   
            default  {  HTTPS but not BKO      
                log local0. ".TESTE DEFAULT: [IP::client_addr] -> [IP::local_addr]"   
            }   
        }    
    }   
}

I have a similar iRule for a virtual-server HTTP and it works fine, this one, for https, does not work, and I do not see any log.

Later to check if the iRule is called I have added to the iRule: 
 when CLIENT_ACCEPTED {    
    log local0. ".TESTE CLIENT_ACCEPTED: [IP::client_addr] -> [IP::local_addr] [TCP::local_port]"    
     Check the VS port to determine if connection is SSL or not    
    switch [TCP::local_port] {    
       "443" {    
    log local0. ".TESTE CLIENT_ACCEPTED:443: [IP::client_addr] -> [IP::local_addr] [TCP::local_port]"    
          set proto "https"    
       }    
       default {    
    log local0. ".TESTE CLIENT_ACCEPTED:not443: [IP::client_addr] -> [IP::local_addr] [TCP::local_port]"    
          set proto "http"   
       }    
    }    
 }

I have logs for "CLIENT_ACCEPTED" and "443", so the iRule is called!

The https use TLSv3.

So the question is: what's wrong?

Thanks, LFR.

application delivery
iRules
LTM

1 Reply

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Dec 20, 2017

    Do you have a client-ssl profile attached to the virtual server? You need to terminate the SSL connection if you want to see the HTTP traffic.