Forum Discussion
CirrusiRule for redirection for ssl and non ssl on same port
Hi All, I have Virtual Server on a port 1500. The SSL terminates here as well.
I need help in a iRule to send traffic to different pools for ssl and non ssl traffic. SSL request on port 1500 goes to pool 1
Non ssl request on 1500 port goes to pool 2
Thanks, Aditya
Dave_McCauley_3Cirrostratus
So do you have two different virtual servers, one on 1500 and one on 1550? Just use a default pool for each of those.
If you have only a virtual server on port 1500, just create a second virtual server on 1550 and have it go to the other pool. No iRule needed.
- Aditya_Mehra
Sorry, typo... only 1 VIP 1500.. and ssl and non ssl both come here..
updated the question.
- Dave_McCauley_3
In that case, you'll need to gather the first few bytes to see if it's encrypted or not, and then disable SSL and select the other pool.
 
https://clouddocs.f5.com/api/irules/TCP__collect.html
 
https://clouddocs.f5.com/api/irules/SSL__disable.html
 
https://clouddocs.f5.com/api/irules/pool.html
 
- Aditya_Mehra
Thanks Dave, I went through and its helpful. Also i will be trying the iRule given below by jaikumar. Thanks, Aditya
jaikumar_f5Noctilucent
Hi Aditya,
It is doable, lets say below is your requirement,
- VIP is 1.1.1.1:1500
- Pool1 servers are non-ssl servers
- Pool2 servers are ssl servers
- You want http & https to work on 1.1.1.1:1500 VIP.
- http traffic to goto Pool1
- https traffic to goto Pool2
1st, you have to create a clientssl profile which would accept both ssl and non-ssl traffic.
tmsh create ltm profile client-ssl allow-non-ssl enabled2nd, you have to create the irule,
ltm rule ssl-and-nonssl-irule { when CLIENT_ACCEPTED { set https_state 0 log local0. "Lets set https_state value to as 0, meaning its a HTTP traffic" } when CLIENTSSL_HANDSHAKE { set https_state 1 log local0. "Lets set https_state value to as 1, meaning its a HTTPS traffic" } when HTTP_REQUEST { if { $https_state == 0 } { pool pool_1 log local0. "https_state value is 0, meaning its a HTTP traffic & HTTP Pool will be selected" } else { pool pool_2 log local0. "https_state value is 1, meaning its a HTTPS traffic & HTTPS Pool will be selected" } } when SERVER_CONNECTED { if { $https_state == 0} { log local0. "https_state value is 0, meaning its a HTTP traffic & forcing serverside SSL should not be selected" SSL::disable serverside log local0. "pool_1 connected" } elseif {$https_state == 1} { log local0. "https_state value is 1, meaning its a HTTPS traffic & serverside SSL would be selected" log local0. "pool_2 connected" } } }Finally have the custom-clientssl & serverssl profiles added to your VS. Add the Irule too. It would be something like below,
ltm virtual test-ssl-nonssl { destination 1.1.1.1:1500 ip-protocol tcp mask 255.255.255.255 profiles { http { } custom-clientsslprofile-name { context clientside } serverssl { context serverside } tcp { } } rules { ssl-and-nonssl-irule } source 0.0.0.0/0 source-address-translation { pool xxxx type snat } translate-address enabled translate-port enabled vs-index 123 }Let me know how it goes.