iRule ProxyPass and SSL to Backend

Question

Hello Folks,&nbsp;
I am currently struggling with the ProxyPass iRule, because I am not able to get an Server SSL Handshake to the Backendserver.&nbsp;
Everything is fine when I define the Backendserver in the Default Pool (VS Settings) and without path manipulations. If I try to realize that about the ProxyPass iRule with an Serverside URI redirect it doesn't work.&nbsp;
Clientside: www.test.com/tomcat/&nbsp;
Serverside: www.test.com/&nbsp;
I did create a VS: vs_test_https
an Datagroup: ProxyPassvs_test_https [ /tomcat/ := /(partition)/p_tomcat_host ]
 [ as described ProxyPass iRule ]&nbsp;
an so on. With an tcpdump I see the traffic to the related Backendserver on port 443 but no successful SSL Handshake!?&nbsp;
What's wrong in my configuration? Any suggestions?&nbsp;
Thanks a lot&nbsp;

kevin_davies_40 · Answer

Please provide some configuration information so we can have a look.&nbsp;

reen_sc_140631 · Answer

Sorry for the delay.&nbsp;Here is my configuration. Only standards....no additional modifications.&nbsp;I did check the ProxyPass with "http" to the Backend and it's working fine. Only an ServerSSL Connection won't be established!?&nbsp;Code
ltm virtual /preprod/vs_tomcat {
destination /preprod/193.90.130.45%2:https
ip-protocol tcp
mask 255.255.255.255
partition preprod
persist {
    cookie {
        default yes
    }
}
pool /preprod/p_backend_https
profiles {
    clientssl {
        context clientside
    }
    http { }
    oneconnect { }
    tcp { }
}
rules {
    i_ios_ltm_log_ssl_client_handshake
    i_ios_ltm_log_ssl_server_handshake
    /preprod/ProxyPass
}
source 0.0.0.0%2/0
source-address-translation {
    type automap
}
vlans {
    vlan_webdmz
}
vlans-enabled
vs-index 56
}

tm data-group internal /preprod/ProxyPassvs_tomcat {
partition preprod
records {
    /ssltomcat/ {
        data "/ p_tomcat_https"
    }
    /tomcat/ {
        data "/ p_tomcat_http"
    }
}
type string
}

ltm data-group internal /preprod/ProxyPassSSLProfiles {
partition preprod
records {
    "p_tomcat_https profile_serverssl" { }
}
type string
}It looks like the SSL Profile in the DataGroup (ProxyPassSSLProfiles) is not used. If I define the serverssl profile to the Virtual Server =&gt; same effect.&nbsp;With SSLDump New TCP connection 24: 193.90.139.18(58915) &lt;-&gt; 192.168.1.30(443) 24 0.0016 (0.0016) S&gt;C TCP RST&nbsp;

Forum Discussion

iRule ProxyPass and SSL to Backend

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

BIG-IP i11000 – License compatibility with TMOS versions above 14.1.2 and Web GUI inaccessible

Related Content

ProxyPass v10/v11

SSL Offloading and Backend pool https

ProxyPass Lite

URL Rewrite/ProxyPass Functionality

iRule to Force Source IP to Specific Backend Node

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS