For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alex1's avatar
Alex1
Icon for Nimbostratus rankNimbostratus
Sep 15, 2022
Solved

iRule sideband using HTTP/2

All examples I have seen with iRules using 'connect' to generate a sideband connection use HTTP/1.0 or HTTP/1.1 I am wondering if anyone has examples of, or knows how iRule sideband connections can ...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 15, 2022

    You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.

    • Configure your helper VIP accordingly
      • HTTP profile
      • Client SSL profile with Renegotiation disabled
      • Server SSL profile with Regenotiation disabled
      • HTTP2 client profile (under Acceleration)
      • HTTP2 server profile
      • VLAN: listening on none
      • Pool to resource
    • Add the following iRule to the help VIP:
    when CLIENT_ACCEPTED {
    SSL::disable clientside
    HTTP2::disable
}

    So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2022

The preferred method of instantiating a sideband connection is by calling the virtual server name directly, instead of an IP:port.

https://clouddocs.f5.com/api/irules/connect.html

So then this is basically the same internal mechanism that VIP targeting uses. There's no 1-1 relationship between sideband and sideband caller, so you're free to call this VIP from any iRule.