Incoming 443 Passthru LTM and use iRule to redirect to pool

Question

Client connections come in SSL 443; needs to pass-thru the LTM with no modification/terminating.&nbsp;
The Clients SSL session needs to terminate directly on the server.   The LTM cannot touch the session.  Trying to use the irule to look for a string in the URL - if found redirect to pool_2_8089.   If string doesnt exist - default to pool_1&nbsp;
 &nbsp;
 &nbsp;
pool_2_8089&nbsp;
Member server 192.168.1.101:8089  (is terminating SSL)&nbsp;
 &nbsp;
 &nbsp;
pool_1&nbsp;
Member server 192.168.1.101:443   (exact same server just terminating SSL at 443)&nbsp;
 &nbsp;
 &nbsp;
I have this iRule&nbsp;
 when HTTP_REQUEST {&nbsp;
  if { ([active_members pool_2_8089] &gt; 0) and ([HTTP::uri] contains "/submitVXUMessage") } {&nbsp;
  pool pool_2_8089}&nbsp;
  else {pool pool_1}&nbsp;
 }&nbsp;
 &nbsp;
 &nbsp;
The vs_dbtest&nbsp;
listening at 443&nbsp;
no ssl client or server profiles&nbsp;
In order to use iRule - I had to select http profile&nbsp;
pool_1 is default&nbsp;
 &nbsp;
 &nbsp;
ANY help is much appreciated.&nbsp;

kevin_stewart · Answer

You cannot see an HTTP URI without first terminating the SSL traffic.  
&nbsp;  
&nbsp; Would it be possible to default to the terminating VIP and redirect to the non-terminating VIP if the URI is encountered? &nbsp;

what_lies_bene1 · Answer

You can't look at the HTTP URI as you are not terminating the SSL on the F5. All the F5 can see is encrypted SSL data. You have two options here;&nbsp;
&nbsp;
1) Terminate the SSL on the F5 using an SSLClient profile. You can re-encrypt to the server using a SSLServer profile if necessary.&nbsp;
2) Use the ProxySSL feature, although I'm unsure if it's appropriate in this case: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html&nbsp;

kevin_stewart · Answer

You wouldn't be able to redirect traffic to different pools with ProxySSL.  
&nbsp;  
&nbsp; ProxySSL requires an uninterrupted path between the client and server during the initial SSL negotiation.

what_lies_bene1 · Answer

I had a feeling you might say that. Thanks for the clarification Kevin.

mohamed_lrhazi · Answer

Wow... I learn new things everyday.. never heard of ProxySSL! looks cool. 
&nbsp;  
&nbsp; Reading that solution doc, it does sound like you would full access to the HTTP traffic.. why do you say, Keven, that he cannot use this? what would the purpose of ProxySSL be then? the sol says one reason is: 
&nbsp;  
&nbsp; iRules to read or write application data 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Mohamed.

Forum Discussion

Incoming 443 Passthru LTM and use iRule to redirect to pool

9 Replies

Recent Discussions

Priority Group Activation is not working

Changes to DO and AS3 GitHub - no longer monitored

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

Related Content

F5 HTTPS Redirect 2025

Redirect TLS 1.1/1.2 clients & Append the incoming URL to the redirect target

Rewriting Redirects

(HTTP) Redirection via Arbitrary Host Header

Anchor Link Redirect

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS