For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

brad_scherer_11's avatar
brad_scherer_11
Icon for Nimbostratus rankNimbostratus
Apr 09, 2009

Load Balance to an SSL Proxy Server

Hello,     I have an interesting problem/solution here.   We run ISA server proxies that are in a pool behind the BigIP. The BigIP hosts the VIP on port 8080.   We want to impleme...
application delivery
dev
devops
iRules
brad_scherer_11's avatar
brad_scherer_11
Icon for Nimbostratus rankNimbostratus
Apr 09, 2009
Thank you for the reply. No we are not terminating on the F5. Basically we want any SSL traffic (determined by port/s) to simply go to a different pool of proxies than the standard.

 

 

The HTTP rule I previously posted did look like it was working to a degree but I am not sure it is the best way to approach this.

 

Here is a client_accept rule that I tested.....unsuccessfully.

 

 

I used examples to build this rule yesterday so am not even sure if it has been pieced together correctly.

 

 

when CLIENT_ACCEPTED {

 

TCP::collect 20

 

}

 

when CLIENT_DATA {

 

if { [TCP::payload 20] contains "443" } {

 

pool WebWasher

 

log local0. "Rule for WebWasher HTTPS redirect"

 

}

 

TCP::release

 

}

 

 

 

After the standard 3way handshake on port 8080 to the proxy here is a dump of the next request sent on port 8080. This is where we want to make the decision as to which pool to go to based on the port number in the CONNECT request.

 

 

40.00010.72.1.4010.81.13.40HTTPCONNECT somesite.com:443 HTTP/1.0