Forum Discussion

TTOM's avatar
TTOM
Icon for Nimbostratus rankNimbostratus
Nov 22, 2021

iRule proxypass with profilessl

hello, we are using proxypass irule to change pool when uri parameter change , so when user is hitting a.b.c.com/start it going to defined pool in datagroup and thats working fine. Now we deploy c...
application delivery
BIG-IP
iRules
proxypass
TTOM's avatar
TTOM
Icon for Nimbostratus rankNimbostratus
Nov 29, 2021

thank you for interesting of this topic. When I sniff traffic between F5 and physical server it looks like it want use SSL but strange things are happening, because it try negotiate TLS handshake and afterwards server is sending FIN. (we are using port 4004 for this communication ). Worth to mention , when I make this without proxypass its working ...

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Nov 29, 2021

    "without proxypass its working" - so, without the iRule?

     

    is your screenshot related to SSL error that you see when iRule is configured? Does it work as expected (ssl too) when you remove iRule? I would argue that in this case, default pool will always be selected (does default pool support SSL?)

     

    What's the output of this command? (replace IP with a member of POOL_SSL)

     

    (echo -e "GET /test/ HTTP/1.1\r\nHost: a.b.c.com\r\nConnection: Close\r\n\r\n";sleep 1) | openssl s_client -connect 10.xxx.yyy.zzz:4004

     

    If your iRule balances between one pool that does not support SSL, and one that does support it, and you applied serverssl profile on Virtual Server, you might want to disable SSL when non-ssl pool is selected:

     

    when SERVER_CONNECTED {

     if {[LB::server port] != 4004 } { # use "AND" statement for additional ports

      SSL::disable

     } 

    }

     

     

    • TTOM's avatar
      TTOM
      Icon for Nimbostratus rankNimbostratus
      Dec 01, 2021

      hello,

      yes, when I remove iRule-ProxyPass and choose as POOL server with ssl - it is working.

      You are right common/default pool for this VIP doesnt have SSL, output of command on screenshot .

      I had to make own lab and Its strange, I suppose issue with irule proxypass, even when I made two POOLs and each host have 443 enabled I got bad request

      It looks like server is getting requests on 80, But in LTM logs we can see I have matched serverssl profile to pool in datagroup of proxypass, also it is set on VIP (server ssl profile)

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Dec 04, 2021

      your images don't work unfortunately.