Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

John_Klemm_4418's avatar
John_Klemm_4418
Icon for Nimbostratus rankNimbostratus
Oct 20, 2006

layout

here is my Irule for two new servers coming in on VIP .77   when HTTP_REQUEST {   switch [string tolower [HTTP::host]] {   sites.xxx.xxx.mil { pool sites.xxx.xxx.mil_pool}   ...
application delivery
dev
devops
irules
Colin_Walker_12's avatar
Colin_Walker_12
Historic F5 Account
Nov 02, 2006
It looks like you coded the switch statement appropriately, assuming that each hostname with "xxx.xxx" in it matches the incoming hostname fromt he client, and the pool is valid.

If the incoming connections are SSL, though, you'd have to first decrypt those requests via a CLIENT-SSL profile on the BIG-IP, before the iRule would be able to interpret any of the header data, such as the Host.

Are you doing this? If so, you're probably going to get warnings about the domain name on the cert you're using for your CLIENT-SSL profile, as you can only assign a single cert to that profile, and you're trying to use a single SSL vip to host multiple hostnames. That is unless you're using a wildcard cert for usmc.mil.


when HTTP_REQUEST {
  switch [string tolower [HTTP::host] ] {
    sites.xxx.xxx.mil { 
      pool sites.xxx.xxx.mil_pool
    }
    eusmc.xxx.xxx.usmc.mil {
      pool eusmc.xxx.xxx.usmc.mil_pool
    }
    ehqmc.xxx.xxx.usmc.mil {
      pool ehqmc.xxx.xxx.usmc.mil_pool
    }
    tecom.xxx.xxx.usmc.mil {
      pool tecom.xxx.xxx.usmc.mil_pool
    }
    mccdc.xxx.xxx.usmc.mil {
      pool mccdc.xxx.xxx.usmc.mil_pool
    }
    caocl.xxx.xxx.usmc.mil {
      pool caocl.xxx.xxx.usmc.mil_pool
    }
    default {
      pool default_pool
    }
  }
}

Colin