Forum Discussion

bls9701_10560's avatar
Icon for Nimbostratus rankNimbostratus
Jan 12, 2011

https redirect iRule requirements




I beleive from reading the manuals and forums that if a request comes in as https (As intended) and I need to change the URI with an iRule and send it to a pool still as https, I must have a client SSL profile configured (at least, maybe a server as well).



I don't have direct access to the Big-IP, so I can't use old-fashioned trial and error. Here are the issues I've experienced when trying to do this:



-Implementing an iRule on a virtual server requires an http profile


a. Most of our SSL requests are passthrough for load balancing to a pool only, therefore, no specific profile is set for these (and btw, they don't use port 443)


b. when the f5 engineer sets the profile to http to be able to add an iRule, all traffic on that virtual server essentially is blocked


c. I am guessing that (b) is caused because the http profile and iRule try to read the request content and find it encrypted and have no profile to decrypt???





1. Can I do this without encryption/decryption since I am only manipulating the request URL and not the content of the request/response?


2. If not do I need both a client SSL and server SSL profile (assuming that the message should reach the app server in the pool via https still - not terminating SSL)?


3. We've had a difficult time trying to get client/server SSL profiles configured in the past...What are the exact requirements?


a. What kind of certificate does the client profile need?


Our client web browsers trust the Root CA, is that all that is required?


b. What kind of certificate does the server profile need?


For the app servers, I generate a wildcard CSR for, the CA signs it, and I import it back. I tried working with the f5 engineer and had him attempt in the past with no success. Does he generate a wildcard CSR for * so that it can be reused for multiple sites, or does it have to be specific? Does it have to clone the cert of the app server since it is in a way pretending to be the app server?



Thanks in advance for your help! Please let me know if any clarity is needed.





1 Reply

  • 1. In order to see what the request URI is, you need to decrypt the request.


    2. You'll need a clientSSL profile to decrypt the request and a serverSSL profile to re-encrypt it.


    3A - You should be able to generate a cert request from the LTM and fulfill it from the Root CA. Simply change the key and cert within your ClientSSL profile and you should be set.


    3B - Try simply using the default ServerSSL profile...that will usually work.