Forum Discussion
iRule Causing SSL Problems
Here's an abridged version of our mobile detection script. Not sure where it is getting hung up. I tried wrapping the mobile detection with something like if { [TCP::local_port] != 443 } { ... } but that didn't seem to help. Is there something I should do before the HTTP_REQUEST to check for SSL and ignore the rest?
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" and not [HTTP::cookie exists "hide-mobile"] } {
switch -glob [string tolower [HTTP::header User-Agent]] {
"*android*mobile*" -
"*iphone*" -
"*ipod*" -
"*kindle*" {
HTTP::redirect "http://m.[domain [HTTP::host] 2]"
return
}
}
if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {
HTTP::redirect "http://m.[domain [HTTP::host] 2]"
return
}
}
}
- hooleylistCirrostratusHi Stephen,
- Stephen_AndersoNimbostratusThe virtual server is allowing all ports to pass through, so it's just 1 virtual server allowing both http and https. If the iRule cannot be applied to https traffic since the headers are encrypted, I guess that means we could separate out virtual servers and only apply the iRule to http? Either that or offload the SSL certs to the F5?
- Joel_MosesNimbostratusYes, you'd need to offload the certs to the F5 to have this iRule fire. You can still re-encrypt to the pool if you need to do that, or you can offload SSL to the F5 and talk to the pool in-the-clear.
when CLIENT_CONNECTED { if { [TCP::local_port] == 443 } { event HTTP_REQUEST disable } }
- hooleylistCirrostratusI think it's cleaner and simpler to create two separate virtual servers for two different protocols. If you wanted to do this with one you could disable the HTTP filter and the iRule logic for non-HTTP requests using HTTP::disable and return. Here's a related example:
- hooleylistCirrostratusSorry Joel, I didn't see your reply. I think we both agree :)
- Stephen_AndersoNimbostratusI agree that it would be cleaner to separate them out. I was more curious about why the iRule was getting hung up and the example you gave helps to clear that up. Thanks a bunch guys!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com