Forum Discussion
bernie_9326
Nimbostratus
Nimbostratusin layer 7 routing, how to direct request under SSL
Hi
Wondering if you can help. We are trying to use layer 7 routing to send web requests to three different pools.
Our questions are - is there a way to set up Layer 7 routing such that ...
The_BhattmanNimbostratus
NimbostratusHi Bernie
Hoolio created an excellent irule to run http and https on the same virtual address (Click here)
Here is the the same code that has your specifics (Of course it's untested so there might be some fine tunning)
when RULE_INIT {
Requests to ports not defined in either the https or http ports list will be reset
Set this option to 1 to redirect client requests from HTTP to HTTPS. Set to 0 to not redirect clients from HTTP to HTTPS.
set ::redirect_http_to_https 0
Set this option to 1 to rewrite the requested URI to lower case. Set to 0 to not rewrite the URI.
set ::rewrite_uri_to_lower_case 1
Set this option to 1 to log debug messages (to /var/log/ltm by default)
set ::single_vs_debug 1
}
when CLIENT_ACCEPTED {
Save the VIP name, client IP:port as a log prefix to make the log lines shorter
set log_prefix "[IP::client_addr]:[TCP::client_port]"
if { [matchclass [TCP::local_port] equals "443" }{
Request was to an HTTPS port, so do nothing for the clientside connection.
The defined client and/or server SSL profiles will be applied as normal
if {$::single_vs_debug}{log local0. "$log_prefix: HTTPS request to [IP::local_addr]:[TCP::local_port]"}
log an error if the virtual server doesn't have a client SSL profile, but receives an SSL request
if {[PROFILE::exists clientssl] == 0}{
if {$::single_vs_debug}{log local0. "$log_prefix:\
Client connection received on port [TCP::local_port], but no client SSL profile is enabled on [IP::local_addr]"}
reject
}
log local0. "uri=[HTTP::uri]"
switch -glob [string tolower [HTTP::uri]] {
"/onlyssl*" { pool pool-onlyssl }
default { pool pool-bob }
}
} elseif {([matchclass [TCP::local_port] equals "80"]) }{
Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
set vip_http_port 1
if {$::single_vs_debug}{log local0. "$log_prefix: HTTP request to [IP::local_addr]:[TCP::local_port]"}
Check to see if there is a client SSL profile and if so, disable it
if { [PROFILE::exists clientssl] == 1} {
if {$::single_vs_debug}{log local0. "$log_prefix: Client SSL profile enabled on VIP. Disabling SSL."}
set disable_cmd "SSL::disable"
eval $disable_cmd
if {[HTTP::uri] starts_with "/acme"} {
log local0. " going to pool-acme"
pool pool-acme
}
}
} else {
Request wasn't to a defined port, so reset the TCP connection.
if {$::single_vs_debug}{log local0. "$log_prefix:\
Dropping request to undefined port [IP::local_addr]:[TCP::local_port]"}
reject
}
}
when HTTP_REQUEST {
If redirect_http_to_https is enabled and the request was made to an HTTP port,
redirect the client to the same host/URI over HTTPS
if { ($::redirect_http_to_https == 1 or ([info exists redirect_http_to_https] && $redirect_http_to_https)) && \
([info exists vip_http_port] && $vip_http_port==1)}{
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
if {$::single_vs_debug}{log local0. "$log_prefix:\
Redirecting client [IP::client_addr] to https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"}
} else {
Rewrite the HTTP::path to lower case if the option is enabled globally or in a separate rule
if {$::rewrite_uri_to_lower_case or ([info exists rewrite_uri_to_lower_case] and $rewrite_uri_to_lower_case)}{
HTTP::path [string tolower [HTTP::path]]
}
}
}
I hope this helps
