Forum Discussion

BuilderBob's avatar
BuilderBob
Icon for Nimbostratus rankNimbostratus
Aug 06, 2021

irule / vip forwarding

Hi all, I am trying to work out how to perform VIP forwarding when SSL termination isn't permitted. With SSL termination we use an irule for this purpose. F5 topology as follows:-

 

Front facing VIP:443 which all external traffic from our 3rd party hits.

 

Our internal Test Team have a requirement to select a test environment to send the traffic to. To achieve this we have a pool 'TEST_POOL' and in the pool we have a number of Virtual Servers.

Depending on which VS in the pool is selected as active, we currently use an irule to determine the IP address and redirect the traffic to a corresponding VS. Because all VS's are on the same F5 appliance, we use the virtual cmd in the irule to select the target VS:-

 

.when HTTP_REQUEST {    

 

        set members [active_members -list TEST_POOL]

 

        set ipaddress [lindex [lindex $members 0] 0]

 

       if {$ipaddress == "172.16.4.40"} {

 

        virtual TEST_ENV1_VIP

 

       } elseif {$ipaddress == "172.16.4.41"} {

 

        virtual TEST_ENV2_VIP

 

       } elseif {$ipaddress == "172.16.4.42"} {

 

        virtual TEST_ENV3_VIP

       }

 

      }

 

 

 

 The 3rd party now requires that we do not have SSL termination on the front facing VIP and has asked for end to end encryption. From my understanding if were not offloading SSL on the front facing vip we can no longer user the irule to redirect traffic. It isn't possible to redirect traffic based on the uri as there is nothing in the uri to differentiate between test environments.

 

I am looking for a workaround to the above if at all possible, i.e.

 

Is it possible to somehow use the irule if we are not performing SSL termination? 

 

Are there any other means of vip forwarding when both VIPs are on the same local F5 appliance?

 

Thank You..

 

 

 

 

 

  • In the irule if you are matching any specific condition on the F5 VIP, unless you do SSL offloading on the F5 VIP, F5 won't be able to understand the request as it will be encrypted when it come on F5.

  • If you are not offloading SSL on F5, you can change current VIP to performance layer 4 or just remove HTTP profile, clientssl profile and it should work.

     

    Same iRule can be used, just change the HTTP_REQUEST event to CLIENT_ACCEPTED event.

     

    Let us know how testing goes.