Forum Discussion

Alex1's avatar
Alex1
Icon for Nimbostratus rankNimbostratus
Sep 15, 2022

iRule sideband using HTTP/2

All examples I have seen with iRules using 'connect' to generate a sideband connection use HTTP/1.0 or HTTP/1.1 I am wondering if anyone has examples of, or knows how iRule sideband connections can ...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 15, 2022

    You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.

    • Configure your helper VIP accordingly
      • HTTP profile
      • Client SSL profile with Renegotiation disabled
      • Server SSL profile with Regenotiation disabled
      • HTTP2 client profile (under Acceleration)
      • HTTP2 server profile
      • VLAN: listening on none
      • Pool to resource
    • Add the following iRule to the help VIP:
    when CLIENT_ACCEPTED {
    SSL::disable clientside
    HTTP2::disable
}

    So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2022

The preferred method of instantiating a sideband connection is by calling the virtual server name directly, instead of an IP:port.

https://clouddocs.f5.com/api/irules/connect.html

So then this is basically the same internal mechanism that VIP targeting uses. There's no 1-1 relationship between sideband and sideband caller, so you're free to call this VIP from any iRule.