Forum Discussion
Is there Limitation of irule "virtual".. can we do it like this?
yep, this is a common scenario and works great. I'm not sure about a top-end limitation, you'd need to test. But with the iRule, if there more than a handful of hosts/policies, I'd recommend a data-group to map host header->virtual so you can keep the iRule logic light. Something like:
when HTTP_REQUEST {
set vip_target [class match -value -- [HTTP::host] equals host2vipmap_dg]
if {$vip_target ne ""} {
virtual $vip_target
} else { reject }
}
with a data-group set up like:
ltm data-group internal host2vipmap_dg {
records {
abc.example.com {
data VS_abc.example.com
}
}
type string
}
Thank you for answer JRahm
May I've another question.. We perform ssl bridging on F5 AWAF (VIP port 443 and pool port 443.. decrypt to scan waf and reencrypt again)
when I use irule "virtual".. Do I need to reencypt before send it to VS_private ?
Flow will be like
Client > VIP:443 > Decrypt > irule send to virtual > (1) what port I need to use on Virtual private ? is it 80?
if it port 80.. So I need to config Virtual_Private to use port 80 with only serverssl profile to re-encrypt it to 443 before send to server , am I correct?
I'm concern about multiple decrypt/encrypt which might affect latency
- JRahmNov 11, 2022Admin
your thought there is correct, you don't want to re-encrypt between the virtual servers on the same backplane. Decrypt on the front-end virtual server with a clientssl profile, re-encrypt on the back-end virtual servers with a serverssl profile.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com