Forum Discussion

Nimbostratus

May 22, 2013

iRule and/or SSL profile?

I am very new to F5 and am having difficulty figuring out how to configure an application to work in the manner below. Does this require an iRule and editing a server ssl profile? I really don't kn...

Employee

May 22, 2013

First things first, create TWO VIPs:

1. A port 80 (HTTP) VIP with nothing in it but an HTTP profile and the _sys_https_redirect iRule. This will cause all requests to HTTP:// to be immediately redirected to the HTTPS VIP.

2. A port 443 (HTTPS) VIP that accepts requests to your application/pools.

Now, you cannot make a layer 6 decision (which client SSL profile to use) based on a layer 7 characteristic such as the URI. You can, however, switch profiles based on the server name using SNI (Server Name Indicator), an extension of the TLS protocol.

Aside from that, apply a server SSL profile to the HTTPS VIP and use an iRule like this:


when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/komws" } {
         send to NEW_WEB1_pool
        pool NEW_WEB1_pool
        persist source_addr 255.255.255.0 0
    } else {
         send to WEB1_pool and disable the server SSL profile
        SSL::disable serverside
        pool WEB1_pool
    }
}

Question: how did you want to do persistence for the port 80 traffic?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)