For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_107360's avatar
Michael_107360
Icon for Cirrus rankCirrus
Aug 06, 2016

Is it possble to have 443 splash page without ssl profile

Currently I have a virtual server setup on 80 and 443 with ssl offloading, which is working perfectly. I have a question about using a splash page on 443 if it will work or not. So traffic comes in on 443 gets offloaded then sent to servers on port 11230 with priority of 20, simple. If the 2 web servers fail the want to connect to another server that hosts the splash page. This connection is on 443......will this work? or is a better way to have an irule setup to monitor the pool members then redirect the client to the new site?

 

ltm pool V102.57-P11230 { members { R119.14:11230 { address 159.202.119.14 priority-group 20 session monitor-enabled state up } R119.15:11230 { address 159.202.119.15 priority-group 20 session monitor-enabled state up } R249.141:https { address 170.225.249.141 monitor /Common/tcp_46 priority-group 10 session monitor-enabled state up } } min-active-members 1 monitor min 1 of { V102.57-HEAD } partition Production }

 

application delivery
iRules
LTM

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 06, 2016

    Hi Michael,

    its possible to mix your 

    http:11230
    and 
    https:443
    nodes on the same Virtual Server using seperate pools but also in a single pool using the priority group activation feature.

    But mixing SSL with HTTP nodes on the same Virtual Server is performancewise not that ideal, since it would require you to assign a Server_SSL_Profile and then disable Server_SSL with an iRule on every connection attempt to the default nodes (aka. 

    http:11230
    ) resp. (re)enable Server_SSL on every connection attempt to the fallback nodes (aka. 
    https:443
    ). Take a look to the iRule below to see how to selectively enable/disable Server_SSL:

    when SERVER_CONNECTED {
    if { [PROFILE::exists serverssl] } then {
        if { [TCP::remote_port] != 443 } then {
            SSL::disable serverside
        } else {
            SSL::enable serverside
        }
    } else {
        log -noname local0. "$log_prefix !!!! Warning !!!! The Virtual Server [URI::basename [virtual name]] has no SSL Server Profile assigned !!!! Warning !!!!"
    }
}

    Note: To reduce the performance overhead of the Server_SSL_Profile handling, you should consider to enable the 

    [ONECONNECT]
    feature on your Virtual Server. This will allow you to reuse the serverside connections as much as possible.

    Cheers, Kai