Forum Discussion

Aditya_Mehra's avatar
Aditya_Mehra
Icon for Cirrus rankCirrus
Feb 22, 2019

iRule for redirection for ssl and non ssl on same port

Hi All, I have Virtual Server on a port 1500. The SSL terminates here as well.   I need help in a iRule to send traffic to different pools for ssl and non ssl traffic. SSL request on port 1500 go...
application delivery
BIG-IP
irule
iRules
ssl
jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Feb 24, 2019

Hi Aditya,

It is doable, lets say below is your requirement,

  • VIP is 1.1.1.1:1500
  • Pool1 servers are non-ssl servers
  • Pool2 servers are ssl servers
  • You want http & https to work on 1.1.1.1:1500 VIP.
  • http traffic to goto Pool1
  • https traffic to goto Pool2

1st, you have to create a clientssl profile which would accept both ssl and non-ssl traffic.

tmsh create ltm profile client-ssl  allow-non-ssl enabled

2nd, you have to create the irule,

ltm rule ssl-and-nonssl-irule {
when CLIENT_ACCEPTED {
set https_state 0
log local0. "Lets set https_state value to as 0, meaning its a HTTP traffic"
}

when CLIENTSSL_HANDSHAKE {
set https_state 1
log local0. "Lets set https_state value to as 1, meaning its a HTTPS traffic"
}

when HTTP_REQUEST {
if { $https_state == 0 } {
pool pool_1
log local0. "https_state value is 0, meaning its a HTTP traffic & HTTP Pool will be selected"
} else {
pool pool_2
log local0. "https_state value is 1, meaning its a HTTPS traffic & HTTPS Pool will be selected"
}
}

when SERVER_CONNECTED {
if { $https_state == 0} {
log local0. "https_state value is 0, meaning its a HTTP traffic & forcing serverside SSL should not be selected"
SSL::disable serverside
log local0. "pool_1 connected"
} elseif {$https_state == 1} {
log local0. "https_state value is 1, meaning its a HTTPS traffic & serverside SSL would be selected"
log local0. "pool_2 connected"
}
}
}

Finally have the custom-clientssl & serverssl profiles added to your VS. Add the Irule too. It would be something like below,

ltm virtual test-ssl-nonssl {
    destination 1.1.1.1:1500
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        http { }
        custom-clientsslprofile-name {
            context clientside
        }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        ssl-and-nonssl-irule
    }
    source 0.0.0.0/0
    source-address-translation {
        pool xxxx
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 123
}

Let me know how it goes.