Forum Discussion
Nimbostratusirule to a pool using SSL
What I am trying to achieve is to send traffic to a specific pool based on the uri. Which works fine on http, the issue I have is when I use the irule on https.
I have to assign an http profile to enable me to add an irule, when I add the standard http profile we have the site browses very slowly or gets connection time out. I am assuming I need a different setting in the profile or + ssl profile (server).
Does anyone have any info on what the settings should be in an http profile (to allow ssl to work) or pointers to it? (FYI - if I add the http profile with no irule it does not work - so it's not the irule).
thanks in advanced
21 Replies
nastymatt_11986Posted By Kevin Stewart on 02/21/2013 08:34 AM
So to summarize then, if you don't SSL offload, you can't apply an HTTP profile or use this iRule. If you do SSL ofload, you'll need to get the certificate and key from each web server behind the BIG-IP to stop the trust errors.
A paragraph I was hoping to not see :) Tavm for the help.
Michael_YatesHi nastymatt,
Actually what Kevin is telling you is a good thing and not that difficult at all.
1. Export SSL Certificate from Server.
2. Import SSL Certificate into the LTM Certificate Store (Local Traffic -> SSL Certificates -> Import)
3. Create new SSL Profile (Local Traffic -> Profiles -> SSL -> Client) and assign the Certificate and Key that you imported.
4. Apply SSL Profile (Client) made in Step 3 to the Virtual Server, Apply SSL Profile (Server) to be the default "serverssl".
5. Apply an HTTP Profile (you could use the default if you wish)
6. Assign iRule to the Virtual Server.
This should solve your entire problem and allow your HTTPS Virtual Server to behave just like your HTTP Virtual Server with no SSL Certificate mismatch errors.
The biggest things to remember are:
1. You cannot use an iRule that uses HTTP Methods (when HTTP_REQUEST or when HTTP_RESPONSE) without an HTTP Profile assigned to the Virtual Server.
2. You cannot use an HTTP Profile on encrypted traffic, so if you need an iRule you need to at least Decrypt the traffic (SSL Profile (Client)).
3. If the downstream servers are expecting an secure session then you will need to apply a SSL Profile (Server). This tells the LTM that the downstream server wants to talk securely, so expect it.- nastymatt_11986Excellent details Michael. I will be putting this into practice next week.. so i might be back :)
BrandonCirrostratus
This was a very helpful stream of info.
Patty_Cl_159208This is good information. I am new to F5 and have found the online info great but I need some help. I have setup SSL offloading but my website returns HTTP not HTTPS. Current version is 11.4.0. I imported my cert and key into SSL profile (client), created my pool using port 80 on the pool members, created my VS using port 443. I'm using the http profile. I am not familiar with iRules but maybe I need a redirect? When I ping I am hitting the vip.
Any assistance is appreciated. Thanks,- Kevin_Stewart
Employee
When you say "my website returns HTTP not HTTPS", are you referring to redirects and document object references pointing to the http:// URL? If so, that's actually a pretty common issue when offloading SSL, and there are two things you can do about it:
-
There's an option in the HTTP profile called "Redirect Rewrite". This option is designed to catch redirects from the server and rewrite the http:// in the Location header to https://. This only applies to redirect (ie. 30x) responses.
-
An iRule and STREAM profile to catch all of the document object references in the HTTP payload. Apply a generic (empty) STREAM profile to the VIP and the following iRule:
when HTTP_REQUEST { HTTP::header remove Accept-Encoding STREAM::disable } when HTTP_RESPONSE { if { [HTTP::header Content-Type] contains "text" } { STREAM::expression {@http://@https://@} STREAM::enable } }
A STREAM is basically like a regular expression evaluator, but in hardware, so it's super fast. The above will find any reference to the string http:// in the HTTP response paylaod and replace it with https://. You may need to be more explicit in your search/replace if you have strings that you don't want replaced.
-
- Patty_Cl_159208
Kevin,
Thank you so much. I was able to use the HTTP profile redirect/rewrite and that worked. I did try Option 2 but wasn't successful. I think I had details incorrect. I will work on that later. Patty
- wlopez
Cirrocumulus
If you're redirecting within https, you could do something like this:
when HTTP_REQUEST { if { [HTTP::path] eq "/" } { HTTP::respond 301 Location "https://abc.xyz/BankingApp" } } 
Agbenya_Adotey_Thanks for the feedback. I will implement and revert
- Agbenya_Adotey_
Hi Guys, The suggested approaches did not yield the desired results.
Any other leads?
Regards, Agbenya
- Agbenya_Adotey_
Hi Kevin & wlopez, Actually your suggestions worked. It was my fault. Apologies.
very grateful
regards, Agbenya
