For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jsgibbs1's avatar
jsgibbs1
Icon for Nimbostratus rankNimbostratus
Feb 03, 2017

https-to-https redirect w/SSL termination

I am using SSL Client and Server profiles on a VIP to decrypt/re-encrypt traffic after performing a sideband connection - which works as expected. I now have a requirement to inspect incoming URIs and redirect to secondary VIP if necessary. The secondary VIP also terminates SSL, performs a sideband connection, and directs traffic to its pool member (at least that's what it's supposed to do).

 

The issue I'm having is the secondary VIP is not connecting to its pool member. Well, it actually is connecting according to tcpdump, but it's not displaying the webpage. I get "this webpage is not available". However, if I remove the pool and modify the irule to perform a http redirect, it works! Problem is, I need to include an http header as well, which I understand I can't do w/a redirect.

 

Any idea what I'm doing wrong?

 

application delivery
iRules
LTM

8 Replies

  • FMA's avatar
    FMA
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2017

    Can you show your iRule which performs 

    inspect incoming URIs and redirect to secondary VIP if necessary'
    ?

  • jsgibbs1's avatar
    jsgibbs1
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2017

    The irule is on a closed system with no internet access and is very long, so I can't post it here. However, here is the portion that does the redirect. Again, the redirect to the secondary VIP does work, it just won't activate the associated pool member. 

    when HTTP_REQUEST {  
    if {[HTTP::uri] starts_with "/example" }{
    virtual secondary-vip
    }  
    ..........

    I guess my first question should've been canI expect https-to-https to work on the F5 as I'm trying to do?

  • FMA_199355's avatar
    FMA_199355
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2017

    I beleive it can't.

    HTTP_REQUEST happens after TCP and SSL Handshake with your 

    primary-vip
    . According to the iRule F5 does analyze uri and if it matches your condition sends HTTP_GET request to the 
    secondary-vip
    when there is no initial connection established. I'd use a redirect which whould force client to initiate a new session to your 
    secondary-vip
    :

    when HTTP_REQUEST {
    if {[HTTP::uri] starts_with "/example" } {
      HTTP::redirect https://'url representing secondary vip'
    }
}
  • FMA_199355's avatar
    FMA_199355
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2017

    Awesome! If you don't mind, please accept my answer :) In case my wife asks how I spend my spare time... ;)

     

  • FMA_199355's avatar
    FMA_199355
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2017

    HTTP_REQUEST happens after TCP and SSL Handshake with your primary-vip. According to the iRule F5 does analyze uri and if it matches your condition sends HTTP_GET request to the 

    secondary-vip
    when there is no initial connection established. I'd use a redirect which whould force client to initiate a new session to your 
    secondary-vip
    :

    when HTTP_REQUEST {
    if {[HTTP::uri] starts_with "/example" } {
      HTTP::redirect https://'url representing secondary vip'
    }
}