iRule for Setting Server Side SSL

Question

The iRule below is working for the most part, the setting of the server side SSL profile is the section that is failing we are getting SSL errors upon connecting. This error occurs whether we apply the same profile as part of the VIP configuration also.&nbsp;when called the section to set the serverside SSL is failing, specifically the following commands&nbsp;set SSL::enable&nbsp;set SSL::profile TEST-SERVERSIDE-SSL-PROFILE&nbsp;&nbsp;What are we missing to get this to work?&nbsp;when HTTP_REQUEST {&nbsp;set CALL_SERVERSIDE_SSL 0&nbsp;log local0. "Request: [HTTP::host]"&nbsp;if {[HTTP::host] starts_with "siteA.mysite.com" }{&nbsp;&nbsp;&nbsp;if {[active_members SITEA-9032-POOL] &lt; 1} {&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Using pool SO-SORRY-80-POOL"&nbsp;&nbsp;&nbsp;&nbsp;pool SO-SORRY-80-POOL&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;else {&nbsp;&nbsp;&nbsp;log local0. "Using pool SITEA-9032-POOL"&nbsp;&nbsp;&nbsp;pool SITEA-9032-POOL&nbsp;&nbsp;}&nbsp;}* elseif {[HTTP::host] starts_with "siteB.mysite.com" }{&nbsp;&nbsp;&nbsp;if {[active_members SITEB-PROD-443-POOL] &gt;= 1} {&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Using pool SITEB-PROD-443-POOL"&nbsp;&nbsp;&nbsp;&nbsp;persist source_addr&nbsp;&nbsp;&nbsp;&nbsp;set CALL_SERVERSIDE_SSL 1&nbsp;&nbsp;&nbsp;&nbsp;pool SITEB-PROD-443-POOL }&nbsp;else {&nbsp;&nbsp;&nbsp;log local0. "Using pool SO-SORRY-80-POOL"&nbsp;&nbsp;&nbsp;pool SO-SORRY-80-POOL*&nbsp;&nbsp;&nbsp;}&nbsp;}elseif {[HTTP::host] starts_with "siteC.mysite.com" }{&nbsp;&nbsp;&nbsp;&nbsp;if {[HTTP::uri] starts_with "/ca/prd/"}{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Using pool SITEC-PROD-80-POOL"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;persist source_addr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pool SITEC-PROD-80-POOL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;elseif {[HTTP::uri] starts_with "/ca/stg/"}{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Using pool SITEC-STG-80-POOL"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;persist source_addr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pool SITEC-STG-80-POOL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;else reject&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;elseif {[HTTP::host] starts_with "siteD.mysite.com" }{&nbsp;&nbsp;&nbsp;log local0. "Using pool SITED&amp;E-80-POOL"&nbsp;&nbsp;pool SITED&amp;E-80-POOL&nbsp;&nbsp;&nbsp;}&nbsp;elseif {[HTTP::host] starts_with "siteE.mysite.com" }{&nbsp;&nbsp;&nbsp;log local0. "Using pool SITED&amp;E-80-POOL"&nbsp;&nbsp;pool SITED&amp;E-80-POOL&nbsp;&nbsp;}&nbsp;else {&nbsp;&nbsp;&nbsp;log "No header match found"&nbsp;&nbsp;&nbsp;reject&nbsp;}}when SERVER_CONNECTED {&nbsp;if { $CALL_SERVERSIDE_SSL == 1 }{&nbsp;log local0. "Setting Serverside SSL $CALL_SERVERSIDE_SSL"&nbsp;set SSL::enable&nbsp;set SSL::profile TEST-SERVERSIDE-SSL-PROFILE&nbsp;}&nbsp;else {&nbsp;log local0. "Not using Serverside SSL $CALL_SERVERSIDE_SSL"&nbsp;set SSL::disable&nbsp;}}

enes_afsin_al · Answer

Hi Dan DeVlieger,You shouldn't use "set" command before ssl::disable, ssl::enable and ssl::profile.when SERVER_CONNECTED {
	if { $CALL_SERVERSIDE_SSL == 1 } {
		log local0. "Setting Serverside SSL $CALL_SERVERSIDE_SSL"
		SSL::enable
		SSL::profile TEST-SERVERSIDE-SSL-PROFILE
	}
	else {
		log local0. "Not using Serverside SSL $CALL_SERVERSIDE_SSL"
		SSL::disable
	}
}

dan_devlieger · Answer

Thank you very much this resolved the issue we were having

Forum Discussion

iRule for Setting Server Side SSL

Recent Discussions

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

iRule based RADIUS Server Stack

Setting up persistence in F5 XC

Set HTTP version

Setting up F5 Telemetry Streaming with Splunk Cloud

iRules Style Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS