Forum Discussion
iRule sideband using HTTP/2
- Sep 15, 2022
You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.
- Configure your helper VIP accordingly
- HTTP profile
- Client SSL profile with Renegotiation disabled
- Server SSL profile with Regenotiation disabled
- HTTP2 client profile (under Acceleration)
- HTTP2 server profile
- VLAN: listening on none
- Pool to resource
- Add the following iRule to the help VIP:
when CLIENT_ACCEPTED { SSL::disable clientside HTTP2::disable }
So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.
- Configure your helper VIP accordingly
You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.
- Configure your helper VIP accordingly
- HTTP profile
- Client SSL profile with Renegotiation disabled
- Server SSL profile with Regenotiation disabled
- HTTP2 client profile (under Acceleration)
- HTTP2 server profile
- VLAN: listening on none
- Pool to resource
- Add the following iRule to the help VIP:
when CLIENT_ACCEPTED {
SSL::disable clientside
HTTP2::disable
}
So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.
Excellent, thank you!!
I've marked your response as accepted because it covers off what I asked exactly.
It does raise another question which I can maybe find the answer to within online documentation, but I suspect you may just know the answer if you don't mind…..
For the helper VS - I've seen that you can set any destination IP and port really, plus you mentioned setting the VLAN to none which is a good point thank you. I assume the F5 uses some internal process to ‘reach’ the VS rather than traditional routing?
I am therefore wondering are there any limitations around sending traffic to the same helper VS from multiple iRules? I expect to have a very similar iRule assigned to different VSes that will all need to make the same sideband call – note that these VSes will be in different traffic groups from each other, just to give them separate session caches (use HA pair but should always be active/standby not active/active).
Can each iRule use the same helper VS (i.e. single helper VS being ‘called’ by multiple iRules), or does the way that the traffic is passed using an internal mechanism mean there is a requirement for a 1-1 mapping between main VS (iRule) and helper VS?
If multiple VSes (iRules) can use the same helper VS then is that still true, or advisable, in my case where the different main VSes (iRules) will operate in different traffic groups? Even if the iRules can ‘share’ a helper VS I am currently thinking I may be better using a 1-1 mapping with each VS (iRule) having its ‘own’ helper VS – having each helper VS in the same traffic group as its corresponding main VS, just in case a problem ever arose and the devices went active/active – i.e. so that each helper VS would ‘move’ with the corresponding main VS.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com