Forum Discussion
Adr_Ant
Nimbostratus
Feb 10, 2020SSL Configuration Using IIS 6
Hello, I need help to protect my website using F5 BIG IP-i2600. My current situation like this: I have 2 domain using 2 different server. I purchase multidomain SSL Certificate for this 2 do...
Dec 02, 2010
This was a fun one to try to dig up. It turns out that the LocalLB.RateClass's create method takes a base rate and not the ceiling rate. But, under the seams, it set's the base AND ceiling rate to what you pass in for the base rate parameter. Since the ceiling rate has a minimum value of 296bps, passing a zero in for the base rate will throw the exception.
The workaround is (if your base rate is less than 296bps), pass in the ceiling rate in the create method and then set the base rate after that to the lower value you desire (in your case 0).
-Joe
- Robert_Teller_7Oct 06, 2015Historic F5 Account
You can try enabling the HTTP Profile and then using an iRule to disable HTTP for any request that isn't RFC compliant.
I have attached a snippet that will verify that the first portion of the request contains a string followed by a forward slash.
For an HTTP Request
when CLIENT_ACCEPTED { HTTP::disable TCP::collect 20 } when CLIENT_DATA { scan [TCP::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } TCP::release }
For an HTTPS Request
when CLIENT_ACCEPTED { HTTP::disable } when CLIENTSSL_CLIENTHELLO { SSL::collect 20} when CLIENTSSL_DATA { scan [SSL::payload] {%s %c} METHOD REQUEST if {$METHOD ne "" && $REQUEST eq "/"} { HTTP::enable } SSL::release }
- Brad_ParkerOct 20, 2015
Cirrus
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_ParkerOct 23, 2015
Cirrus
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.
- Brad_Parker_139Oct 20, 2015
Nacreous
You can not use an HTTP profile without a ClientSSL profile for HTTPS traffic. Is your virtual server HTTP or HTTPS? If it is HTTPS and you need end-to-end SSL you will also need a ServerSSL profile to re-encrypt.
- Hi Brad That is the way I understand it to work as well, was just asking if anyone was able to get it to work without the http profile. It is a https virtual server, the issue is application related in that it does not allow us to inspect the traffic, thus when I enable the http profile the application doesnt work via the F5.
- Brad_Parker_139Oct 23, 2015
Nacreous
Enabling the HTTP profile in and of itself will not affect the traffic in any way and is transparent to the application. Do you have SSL profiles enabled? They too should be transparent to the application. How does your application "not work"? There is no way to see or alter the payload of encrypted traffic, that's why HTTPS requires client ssl profiles if you want to see the content.