Forum Discussion

Jonathon_Page's avatar
Jonathon_Page
Icon for Nimbostratus rankNimbostratus
Jan 20, 2017

HTTPS LTM iRule for overloading a VIP - HTTPS web server internally not encrypting

Hi, I've used the articles on here to create a single VIP with an iRule to switch pools using the URL::host value, This has been working great for internal services that are HTTP.

I'm trying to deploy one that is HTTPS internally and no matter what I try I can't seem to get the F5 and the web server to establish a TLS handshake. I've tried SSL server profiles, I've tried adding SSL::enable server commands and the web server gets a clear text GET request on port 443. 
when HTTP_REQUEST { 
   log local0. "client=[IP::client_addr]:[TCP::client_port] host=[HTTP::host] uri=[HTTP::uri]"
  switch [string tolower [HTTP::host]] { 
    "server1" { 
 switch -glob -- [string tolower [HTTP::uri]] {
"/stuff?*" { pool pool_Srv1 }
default { 
                           reject }
} 
}
    "server2" {
 switch -glob -- [string tolower [HTTP::uri]] {
"/psp/*" - 
"/favicon.ico" { pool pool_Srv2 } 
                        "/" { HTTP::respond 302 Location "http://MainpageOnOtherServer" }
                        "/apple-touch*" {
                            reject }
                        default { 
                        reject } 
                 }
     }
    "NewServer { 
         log local0. "Is [HTTP::host] uri=[HTTP::uri]"
        HTTP::header insert "X-Forwarded-Proto" "https";
        pool pool_NewSrv } 
    default { 
      reject
    } 
  } 
}
when SERVER_CONNECTED { 
  switch [LB::server pool] { 
    pool_NewSrv { 
    SSL::enable serverside
    SSL::profile InternalTLS
    } 
    default {
    SSL::disable serverside
    }
 }
}

Any suggestions would be greatly appreciated.

Thanks
application delivery
big-ip ltm
irule
iRules
LTM
security
ssltls
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jan 20, 2017

    Assuming that the server initiates SSL/TLS connection for this "internal HTTPS" service, you should use client SSL profile on a VS:443. If you require end-to-end encryption, you can utilize server side SSL profile too. However, I would recommend that you test out with client side SSL profile before implementing server side SSL profile. Use a separate VS:443.

     

  • Jonathon_Page's avatar
    Jonathon_Page
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2017

    Hi.

     

    I found my answer through playing. I had the serverssl profile enabled on the virtual server, but I had the irule set up to disable the encryption for the internal http. I read an article https://devcentral.f5.com/questions/what-is-appropriate-way-to-use-ssldisable-serverside-sslenable-serverside and it indicated that I should disable the SSL in the CLIENT_ACCEPTED and do the SSL::enable server before selecting the pool.

     

    The system appears to be working now.