Forum Discussion
PacketHead_4009
Nimbostratus
NimbostratusiRule with SSL Offloading Options?
Hello,
I need to know if there is an iRule out there that will do the following:
I have a VIP/site on the F5 https://mysite.com/pddusers and currently it is SSL only. We offload SSL on the F5 and run over port 80 to the back end servers.
We have a new application that runs on the same backend servers but listens on port 443/SSL. What we want to do is allow users who enter the url https://mysite.com/ittausers/proc to not offload the SSL on the F5 load balancers and to talk to the 443 IIS instance on the back end servers but still allow users to access https://mysite.com/pddusers via the normal SSL offloading method. Is this possible? It seems like I would need to process the iRule before it strips/decrypts the SSL.
Any help or info would be greatly appreciated.
Regards,
James
- Chris_Miller
Altostratus
In your post, you've specified HTTP links, are they actually HTTPS or do you use a rule to redirect HTTP to HTTPS? Your assumption is correct that you'll need to decrypt the request before processing the rule.
What's your motivation for not wanting to terminate SSL at the F5 for the new application? You could configure an iRule that still sends requests for /ittausers/proc to the port 443 pool but that'd happen after the decryption was done. 
hooleylistCirrostratus
Hi James,
As Chris said, you'd have to decrypt the SSL in order to determine which URI the client was requesting. You could technically decrypt all of the clientside SSL and then re-encrypt specific serverside requests using the SSL::disable command. See the wiki page for some examples:
http://devcentral.f5.com/wiki/default.aspx/iRules/ssl__disable
Aaron
