Methods to determine whether an inbound connection is SSL or not

Question

Hi Folks, 
 This is probably a bit of a newbie question. 
 I have two virtual servers lets call them vs_A_http and vs_B_https, assigned to myserver on one IP, both served by pool_webservers 
 I want to redirect all requests to http://myserver/secure to https://myserver/secure.   
 This is easy, the difficulty I am having is that I also want requests to https://myserver/secure to go to pool_securepaymentservers and all other https requests to go to pool_webservers (with bigip ssl offload. 
 I have managed to do this with one irule per virtual server.  Like this: 
 irule applied to http server 
  
 when HTTP_REQUEST { 
 if { [HTTP::uri] starts_with "/secure" } { 
 HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
 } 
 } 
  
 irule applied to https server 
 when HTTP_REQUEST { 
 if { [HTTP::uri] starts_with "/secure" } { 
 pool pool_securepaymentservers  
 } 
 } 
 Is there a better way to do this?

l4l7_53191 · Answer

This is a good way to do it. The only thing that stands out is that you may want to add an "else" clause to the SSL rule so you've got a fall back destination if the URI doesn't match - a default pool on the VS configuration will have the same effect, but I personally like to see it explicitly spelled out in the rule so the behaviors are easier to track. 
&nbsp; -Matt &nbsp;

jrahm · Answer

you could consolidate into one iRule, applied to both, by evaluating the TCP::local_port contents:

when HTTP_REQUEST { 
   if { ([TCP::local_port] eq "443") and ([HTTP::uri] starts_with "/secure") } { 
     pool pool_securepaymentservers 
   } elseif { ([TCP::local_port] eq "80") and ([HTTP::uri] starts_with "/secure") } { 
        HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
   } 
 }

hoolio · Answer

To add to what Matt said, if you don't explicitly specify a pool in an else clause, you need to add a OneConnect profile to ensure subsequent requests on the same TCP connection go to the correct pool.  For details see: 
&nbsp;  
&nbsp; OneConnect with HTTP 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Methods to determine whether an inbound connection is SSL or not

3 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

f5 r5600 appliance issue with adding trunk to vlan

SSL Forward Proxy, iRules and Client Hello

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

Related Content

Difference between Ratio and Ratio Least Connection Load Balancing Method

HTTP method conversion

BIG-IP methods to Fix the “421 Misdirected Request” Error

LB Connection Limit Detection Method

get_statistics method failing when trying to get current connection counts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS