Forum Discussion

ICM_38001's avatar
ICM_38001
Icon for Nimbostratus rankNimbostratus
Jul 07, 2009

Methods to determine whether an inbound connection is SSL or not

Hi Folks,

This is probably a bit of a newbie question.

I have two virtual servers lets call them vs_A_http and vs_B_https, assigned to myserver on one IP, both served by pool_webservers

I want to redirect all requests to http://myserver/secure to https://myserver/secure.

This is easy, the difficulty I am having is that I also want requests to https://myserver/secure to go to pool_securepaymentservers and all other https requests to go to pool_webservers (with bigip ssl offload.

I have managed to do this with one irule per virtual server. Like this:

irule applied to http server 

 
 when HTTP_REQUEST { 
 if { [HTTP::uri] starts_with "/secure" } { 
 HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
 } 
 }

irule applied to https server 

when HTTP_REQUEST { 
 if { [HTTP::uri] starts_with "/secure" } { 
 pool pool_securepaymentservers  
 } 
 }

Is there a better way to do this?

application delivery
dev
devops
iRules
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Jul 07, 2009
    This is a good way to do it. The only thing that stands out is that you may want to add an "else" clause to the SSL rule so you've got a fall back destination if the URI doesn't match - a default pool on the VS configuration will have the same effect, but I personally like to see it explicitly spelled out in the rule so the behaviors are easier to track.

     

    -Matt

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 07, 2009
    you could consolidate into one iRule, applied to both, by evaluating the TCP::local_port contents: 

     
 when HTTP_REQUEST { 
   if { ([TCP::local_port] eq "443") and ([HTTP::uri] starts_with "/secure") } { 
     pool pool_securepaymentservers 
   } elseif { ([TCP::local_port] eq "80") and ([HTTP::uri] starts_with "/secure") } { 
        HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
   } 
 }

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2009
    To add to what Matt said, if you don't explicitly specify a pool in an else clause, you need to add a OneConnect profile to ensure subsequent requests on the same TCP connection go to the correct pool. For details see:

     

     

    OneConnect with HTTP

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html

     

     

    Aaron