Forum Discussion
NimbostratusiRule order of operation (SSL offloading)
Hi Guys,
Have a noobie question on iRules, am not a programmer but need to get this working somehow!
We have an LEGACY iRule which looks at HTTP header and then sends traffic to relevant Pool. There is no Default Pool configured, it all gets determined in the iRule. All these Pools do SSL offloading. Now we are moving to Office360 which requires SSL bridging for migration, therefore want to insert a NEW iRule which sends traffic to new Pool if destined for MRSproxy. Found a NEW iRule on DevCentral forums which seems to do exactly this (see below). However it is not working, and am thinking it is order of operations or priority type issue when having multiple iRule with same Event type as the trigger...
LEGACY iRule when HTTP_REQUEST { OAB and Autodiscover do not require persistence.
switch -glob -- [string tolower [HTTP::path]] {
"/microsoft-server-activesync" {
Direct all ActiveSync clients to a common pool; use Auth
header value if it exists (Basic auth only, which is the
default); otherwise we fall back to client IP
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} elseif { [HTTP::header exists "Authorization"] } {
persist uie [HTTP::header "Authorization"] 7200
} else {
persist source_addr
}
pool exchange_as_pool
COMPRESS::disable
CACHE::disable
return
}
default {
This final section takes all traffic that has not otherwise
been accounted for and sends it to the pool for Outlook Web App
if { [HTTP::header exists "APM_session"] } {
persist uie [HTTP::header "APM_session"] 7200
} else {
persist source_addr
}
pool exchange2010_owa_pool
}
}
} when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk }
}NEW iRule when HTTP_REQUEST { If the request is for a proxy.svc URI select a separate pool and leave serverssl enabled if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{ pool exchange2010_secure_pool } }
5 Replies
What_Lies_Bene1Cirrostratus
You could try and add a priority to one rule or another to control the execution order but I'm not sure it'll help considering the rule contents. Why not just integrate the new rule into the first/original?
- Kevin_Stewart
Employee
I'm not sure it's a matter of priority or order of operation as much as it is perhaps some missing pieces. Assuming you have a server SSL profile applied to the VIP, the activesync and OA path conditions are not explicitly disabling server side SSL. I've reworked your code to include all conditions in a single iRule:
when HTTP_REQUEST { OAB and Autodiscover do not require persistence. switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { Direct all ActiveSync clients to a common pool; use Auth header value if it exists (Basic auth only, which is the default); otherwise we fall back to client IP if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [HTTP::header exists "Authorization"] } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool exchange_as_pool COMPRESS::disable CACHE::disable disable serverssl serverside SSL::disable serverside return } "/EWS/mrsproxy.svc" { If the request is for a proxy.svc URI select a separate pool and leave serverssl enabled pool exchange2010_secure_pool } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool exchange2010_owa_pool disable serverssl serverside SSL::disable serverside } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate" } { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if { [HTTP::header exists "Transfer-Encoding"] } { HTTP::payload rechunk } } 
JayP_46820Thanks Kevin,
For some reason I couldn't edit above post and code was mangled, sorry about that.
Actually at the moment there is no server side SSL profile on the VS, as all current SSL is offloaded by the F5. Only the particular traffic for mrsproxy will need to have server side SSL. Not sure if that is supported.
Perhaps I can still combine the iRules like this?
when HTTP_REQUEST { If the request is for a proxy.svc URI select a separate pool and leave serverssl enabled if { [HTTP::path] eq "/EWS/mrsproxy.svc"}{ pool exchange_secure_pool } return OAB and Autodiscover do not require persistence. switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { Direct all ActiveSync clients to a common pool; use Auth header value if it exists (Basic auth only, which is the default); otherwise we fall back to client IP if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } elseif { [HTTP::header exists "Authorization"] } { persist uie [HTTP::header "Authorization"] 7200 } else { persist source_addr } pool exchange_as_pool COMPRESS::disable CACHE::disable return } } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App if { [HTTP::header exists "APM_session"] } { persist uie [HTTP::header "APM_session"] 7200 } else { persist source_addr } pool exchange2010_owa_pool } } } when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } }- Kevin_Stewart
The thing is, if you're load balancing to different pools in a single VIP, and any one of those pools needs a server side SSL, then you must apply a server SSL profile to the VIP and selectively disable it.
- JayP_46820
Thanks Kevin, Now I understand why you did it that way. Will try it tonight with server SSL profile and disablng where needed. This makes sense. =)
