Forum Discussion
nastymatt_11986
Nimbostratus
Nimbostratusirule to a pool using SSL
What I am trying to achieve is to send traffic to a specific pool based on the uri. Which works fine on http, the issue I have is when I use the irule on https.
I have to assign an http profile to enable me to add an irule, when I add the standard http profile we have the site browses very slowly or gets connection time out. I am assuming I need a different setting in the profile or + ssl profile (server).
Does anyone have any info on what the settings should be in an http profile (to allow ssl to work) or pointers to it? (FYI - if I add the http profile with no irule it does not work - so it's not the irule).
thanks in advanced
- Kevin_Stewart
Employee
Does it actually browse very slowly and or sometimes time out, or does it just not work when you add the HTTP profile? There could be several things amiss here:
1. If you need to re-encrypt traffic to the back end server and you don't have a server SSL profile applied, it's more than likely not going to work at all.
2. If you have a 443 virtual server pooling to 443 servers, with no SSL profiles (SSL pass through), then you cannot add an HTTP profile. In fact if you're not terminating the client side SSL then you cannot use an HTTP profile.
3. You said "the standard http profile we have". Does that mean you've modified the default HTTP profile? If so, what did you change?
4. It could be that the application uses absolute addressing and cannot handle the https:// namespace when it's listening on http://. You need to look at what the server is sending to the client. If it's sending references to http:// resources (redirects, page objects, etc.), which the client cannot access, then you'll need to make provisions for that. 
nastymatt_11986Excellent info there.. working through it now... here is some more info if it helps:
The http profile is the standard one - http - if this is enabled then the site times out
If I use a ssl server profile -wom-default-serverssl
(and no http profile) it works fine, add the http profile and it stops.
- nastymatt_11986Think I am getting closer:
https://devcentral.f5.com/community/group/aft/1172003/asg/52
this is pretty close, looks like I need to forward - but how do I do that based on the string in http:uri? What should I modify to make this irule a forward?
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { $uri starts_with "/abc" } {
pool W_APool_443
} else { pool W_BPool_443 }
} - Kevin_StewartI'm not sure that applies.
If you intend to decrypt the SSL on the client side, you need to apply a client SSL profile to the VIP. If you need to re-encrypt to the server, you need a server SSL profile applied to the VIP. If you intend to decrypt and then re-encrypt, then you need both client and server SSL profiles applied. If you're attempting to manage layer 7 (HTTP) data on an encrypted channel without first decrypting, then it will most certainly fail. You cannot see HTTP::uri in an HTTP_REQUEST event if you haven't applied a client SSL profile.
So, how is your VIP configured with respect to SSL encryption/decryption? - nastymatt_11986"So, how is your VIP configured with respect to SSL encryption/decryption?" - are you talking about client and server profiles? If so, I have tried a combination of all the standard ones and they do not seem to work.
are there other settings for encryption/decryption? - nastymatt_11986Thinking about it.. I'd need the cert on the f5 to be able to unencrypt. That's not on there...
I feel like my problem is that! Thanks for your time Kevin.. this stuff is all new to me (if that wasn't obvious) - Kevin_StewartLet's step back and reassess.
Are clients contacting your virtual server on port 443 via HTTPS? If so you need a client SSL profile applied to the virtual server and 443 in the destination port of the virtual server.
Are the web servers behind the BIG-IP also listening on 443 (HTTPS)? If so you need a server SSL profile applied to the virtual server and the pool members should be configured with their respective IPs and port 443. If they are not HTTPS servers, then do NOT apply a server SSL profile.
At this point, and with no HTTP profile applied, you should be able to access your servers through the BIG-IP VIP. If that works, apply the generic HTTP profile without the iRule. If that works, apply the iRule.
Can you also post your iRule? - Kevin_Stewart"I'd need the cert on the f5 to be able to unencrypt"
Assuming you're referring to the client SSL profile, you can use the generic default certificate and key for now. You'll get a browser trust error, but you'll still be able to negotiate SSL. - nastymatt_11986Correct KS.. the BIG-IP is listening on 443 and forwards to 443. If I add client and server ssl profiles I get the trust error. The problem is these are public web sites being served so can not have trust issues :(
What I am trying to do is direct traffic to specific pools based on the uri. We have migrated part of the site to a new server, when we move it all then this will not be a problem as all traffic can be forwarded (saying that.. this has prompted me to seriously consider ssl offloading) and no uri check will happen.
this is my irule (all names changed to protect the innocent).. so if you hit www.mysite.com/abc you will go to one set of servers.. anything else you hit the originals.
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { $uri starts_with "/abc" } {
pool W_APool_443
} else { pool W_BPool_443 }
} - Kevin_StewartSo to summarize then, if you don't SSL offload, you can't apply an HTTP profile or use this iRule. If you do SSL ofload, you'll need to get the certificate and key from each web server behind the BIG-IP to stop the trust errors.
