Forum Discussion
NimbostratusIncoming 443 Passthru LTM and use iRule to redirect to pool
Client connections come in SSL 443; needs to pass-thru the LTM with no modification/terminating.
The Clients SSL session needs to terminate directly on the server. The LTM cannot touch the session. Trying to use the irule to look for a string in the URL - if found redirect to pool_2_8089. If string doesnt exist - default to pool_1
pool_2_8089
Member server 192.168.1.101:8089 (is terminating SSL)
pool_1
Member server 192.168.1.101:443 (exact same server just terminating SSL at 443)
I have this iRule
when HTTP_REQUEST {
if { ([active_members pool_2_8089] > 0) and ([HTTP::uri] contains "/submitVXUMessage") } {
pool pool_2_8089}
else {pool pool_1}
}
The vs_dbtest
listening at 443
no ssl client or server profiles
In order to use iRule - I had to select http profile
pool_1 is default
ANY help is much appreciated.
9 Replies
- Kevin_Stewart
Employee
You cannot see an HTTP URI without first terminating the SSL traffic.
Would it be possible to default to the terminating VIP and redirect to the non-terminating VIP if the URI is encountered? 
What_Lies_Bene1Cirrostratus
You can't look at the HTTP URI as you are not terminating the SSL on the F5. All the F5 can see is encrypted SSL data. You have two options here;
1) Terminate the SSL on the F5 using an SSLClient profile. You can re-encrypt to the server using a SSLServer profile if necessary.
2) Use the ProxySSL feature, although I'm unsure if it's appropriate in this case: http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html- Kevin_StewartYou wouldn't be able to redirect traffic to different pools with ProxySSL.
ProxySSL requires an uninterrupted path between the client and server during the initial SSL negotiation. - What_Lies_Bene1I had a feeling you might say that. Thanks for the clarification Kevin.
Mohamed_LrhaziAltocumulus
Wow... I learn new things everyday.. never heard of ProxySSL! looks cool.
Reading that solution doc, it does sound like you would full access to the HTTP traffic.. why do you say, Keven, that he cannot use this? what would the purpose of ProxySSL be then? the sol says one reason is:
iRules to read or write application data
Thanks,
Mohamed.- Mohamed_LrhaziYou wouldn't be able to redirect traffic to different pools with ProxySSL.
Did not read that carefully. I see now. Thanks. - John_Stevensen
Thank you!
Do you know off the top of your head if the ProxySSL feature is supported in our release BIG-IP 10.2.0 Build 1755.1 Hotfix HF1
- Mohamed_LrhaziThat sol doc says it only applies to: 11.2.0, 11.1.0, 11.0.0
But as Keven said, at HTTP_REQUEST time, the pool member was already selected and SSL connection completed with it. - John_Stevensen
LOL.
When I was typing my reply.... a flood of other replies had funneled in and I didnt get to read them yet.
You guys rock.
