Forum Discussion
NimbostratusiRule and/or SSL profile?
I am very new to F5 and am having difficulty figuring out how to configure an application to work in the manner below. Does this require an iRule and editing a server ssl profile? I really don't know where to start here.
Logic flow and info.
IF request coming in is http needs redirect to https
If the URL contains WEB1.whatever.com/komws it should use the NEW_WEB1_pool
If the URL does not end in /komws, use the WEB1_pool
WEB1_pool
Terminate SSL at the F5 using wildcard cert
Forward to pool using http (80)
NEW_WEB1_pool
Terminate SSL at the F5 using server cert
Use source IP affinity
Forward to pool using https (443)
I have both the wildcard certificate (for the WEB1_pool) and the server certificate (for the NEW_WEB1_pool) loaded onto the F5. Currently we are just doing SSL pass-thru to a single pool which works fine, however we need to split this out into two pools functioning as indicated above. I'm lost.
4 Replies
- Kevin_Stewart
Employee
First things first, create TWO VIPs:
1. A port 80 (HTTP) VIP with nothing in it but an HTTP profile and the _sys_https_redirect iRule. This will cause all requests to HTTP:// to be immediately redirected to the HTTPS VIP.
2. A port 443 (HTTPS) VIP that accepts requests to your application/pools.
Now, you cannot make a layer 6 decision (which client SSL profile to use) based on a layer 7 characteristic such as the URI. You can, however, switch profiles based on the server name using SNI (Server Name Indicator), an extension of the TLS protocol.
Aside from that, apply a server SSL profile to the HTTPS VIP and use an iRule like this:when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/komws" } { send to NEW_WEB1_pool pool NEW_WEB1_pool persist source_addr 255.255.255.0 0 } else { send to WEB1_pool and disable the server SSL profile SSL::disable serverside pool WEB1_pool } }
Question: how did you want to do persistence for the port 80 traffic? 
Frank_Misak_116Thanks for the reply. We already have a redirect in place, but not sure it's the way you recommended. Below are the pieces of the configuration (scrubbed of course) as it is now. I'm not sure how to incorporate what you recommend into what is already in place? Appreciate any and all help.
ltm pool /DMZ/WEB1.app/WEB1_pool {
app-service /DMZ/WEB1.app/WEB1
load-balancing-mode least-connections-node
members {
/DMZ/10.1.1.137:443 {
address 10.1.1.137
app-service /DMZ/WEB1.app/WEB1
}
/DMZ/10.1.1.138:443 {
address 10.1.1.138
app-service /DMZ/WEB1.app/WEB1
}
}
monitor /DMZ/WEB1_https_monitor
slow-ramp-time 300
ltm rule /DMZ/WEB1_redir {
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/contracts" { HTTP::redirect "https://WEB1.whatever.com/contracts" }
"/ppl" { HTTP::redirect "https://WEB1.whatever.com/ppl" }
"/komws" { HTTP::redirect "https://WEB1.whatever.com/komws" }
default { HTTP::redirect "https://WEB1.whatever.com/kom" }
}
}
}
ltm rule /DMZ/WEB1_sorry {
when HTTP_REQUEST {
if {[active_members WEB1_pool] < 1}{
HTTP::redirect http://www2.whatever.com/kiosk/maintenance } }
}ltm virtual /DMZ/WEB1.app/WEB1_http_virtual {
app-service /DMZ/WEB1.app/WEB1
destination /DMZ/10.2.2.176:80
ip-protocol tcp
mask 255.255.255.255
profiles {
/DMZ/WEB1.app/WEB1_http_profile { }
/DMZ/WEB1.app/WEB1_lan-optimized_tcp_profile {
context serverside
}
/DMZ/WEB1.app/WEB1_wan-optimized_tcp_profile {
context clientside
}
}
rules {
/DMZ/WEB1_redir
}
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual /DMZ/WEB1.app/WEB1_https_virtual {
app-service /DMZ/WEB1.app/WEB1
destination /DMZ/10.2.2.176:443
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /DMZ/WEB1.app/WEB1_pool
profiles {
/Common/fastL4 { }
}
translate-address enabled
translate-port enabled
vlans-disabled
ltm monitor https /DMZ/WEB1_https_monitor {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 30
password password
recv "Application Health = GOOD"
send "GET /mah/Default.aspx HTTP/1.1\\r\\nHost: WEB1.whatever.com\\r\\nConnection: Close\\r\\n\\r\\n"
time-until-up 0
timeout 91
username uid=username,ou=administration,dc=whatever,dc=com
}
ltm persistence cookie /DMZ/WEB1.app/WEB1_cookie_persistence_profile {
app-service /DMZ/WEB1.app/WEB1
ltm profile client-ssl /DMZ/WEB1.app/WEB1_clientssl {
app-service /DMZ/WEB1.app/WEB1
cert /Common/ABC-Wildcard-Cert.crt
defaults-from /Common/clientssl
key /Common/ABC-Wildcard-Key.key
ltm profile http /DMZ/WEB1.app/WEB1_http_profile {
app-service /DMZ/WEB1.app/WEB1
defaults-from /Common/http
redirect-rewrite matching
ltm profile http-compression /DMZ/WEB1.app/WEB1_wan-optimized-compression_profile {
app-service /DMZ/WEB1.app/WEB1
content-type-include { text/ application/vnd.ms-publisher "application/(xml|x-javascript|javascript|x-ecmascript|ecmascript)" "application/(word|doc|msword|winword|ms-word|x-word|x-msword|vnd.word|vnd.msword|vnd.ms-word)" "application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|xmsexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)" "application/(powerpoint|mspowerpoint|ms-powerpoint|x-powerpoint|x-
mspowerpoint|vnd.powerpoint|vnd.mspowerpoint|vnd.ms-powerpoint|vnd.ms-pps)" "application/(mpp|msproject|x-msproject|x-ms-project|vnd.ms-project)" "application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)"
"application/(pdf|x-pdf|acrobat|vnd.pdf)" }
defaults-from /Common/wan-optimized-compression
ltm profile one-connect /DMZ/WEB1.app/WEB1_oneconnect {
app-service /DMZ/WEB1.app/WEB1
defaults-from /Common/oneconnect
source-mask 255.255.255.255
ltm profile tcp /DMZ/WEB1.app/WEB1_lan-optimized_tcp_profile {
app-service /DMZ/WEB1.app/WEB1
defaults-from /Common/tcp-lan-optimized
}
ltm profile tcp /DMZ/WEB1.app/WEB1_wan-optimized_tcp_profile {
app-service /DMZ/WEB1.app/WEB1
defaults-from /Common/tcp-wan-optimized- nitassWe already have a redirect in place, but not sure it's the way you recommended. Below are the pieces of the configuration (scrubbed of course) as it is now. I'm not sure how to incorporate what you recommend into what is already in place? i understand what Kevin suggested is to use _sys_https_redirect irule in WEB1_http_virtual virtual server and his irule in WEB1_https_virtual virtual server. in WEB1_https_virtual virtual server, you also have to assign clientssl and serverssl profiles.
- Frank_Misak_116
Kevin,
I'm still not certain on what you are saying. Based on my current configuration, I already have redirect to https in place. Looking at my config, can you tell me what I need to do next? I'm confused as to when to use and modify a profile versus when to use an iRule. I don't understand where and how I would make the changes you suggest.
Thanks!
