Hi I have a request from a client to create a VS with two rules that need to be aplied to it.. one if traffic comes in on http i should send it to a specific pool if traffic comes in as http i should send it to another pool, thats working the second part is the problem if traffic comes in the /apps* on http send it to a third pool, if traffic comes in on https for /apps* send it to a fourth pool.. i'm not sure how to do this....

you need : - One HTTP VS with two pools, one for /apps* and one for everything else. - One HTTPs VS with two pools, one for /apps* and one for everything else. No?

is it something like this? if not, can you provide more detail? [root@ve10:Active] config b virtual bar list virtual bar { snat automap destination 172.28.19.79:20175 ip protocol 6 rules myrule profiles { http {} myclientssl { clientside } tcp {} } } [root@ve10:Active] config b profile myclientssl list profile clientssl myclientssl { defaults from clientssl nonssl enable } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { set is_ssl 0 } when CLIENTSSL_HANDSHAKE { set is_ssl 1 } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/apps" } { if { $is_ssl } { pool foo1 } else { pool foo2 } } } } [root@ve10:Active] config b pool foo1 list pool foo1 { members 200.200.200.101:80 {} } [root@ve10:Active] config b pool foo2 list pool foo2 { members 200.200.200.111:80 {} } ssl [root@ve10:Active] config ssldump -Aed -nni 0.0 port 20175 or port 80 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.20.11(41472) <-> 172.28.19.79(20175) 1 1 1350977338.6448 (0.0151) C>S SSLv2 compatible client hello 1 2 1350977338.6448 (0.0000) S>CV3.1(81) Handshake 1 3 1350977338.6448 (0.0000) S>CV3.1(953) Handshake 1 4 1350977338.6448 (0.0000) S>CV3.1(4) Handshake 1 5 1350977338.6468 (0.0019) C>SV3.1(262) Handshake 1 6 1350977338.6468 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1350977338.6468 (0.0000) C>SV3.1(36) Handshake 1 8 1350977338.6653 (0.0184) S>CV3.1(1) ChangeCipherSpec 1 9 1350977338.6653 (0.0000) S>CV3.1(36) Handshake 1 10 1350977338.6666 (0.0013) C>SV3.1(197) application_data --------------------------------------------------------------- HEAD /apps/something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79:20175 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(41472) <-> 200.200.200.101(80) 1350977338.6688 (0.0010) C>S --------------------------------------------------------------- HEAD /apps/something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79:20175 Accept: */* --------------------------------------------------------------- not ssl [root@ve10:Active] config ssldump -Aed -nni 0.0 port 20175 or port 80 New TCP connection 1: 172.28.20.11(41470) <-> 172.28.19.79(20175) 1350977232.7057 (0.0007) C>S --------------------------------------------------------------- HEAD /apps/something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79:20175 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(41470) <-> 200.200.200.111(80) 1350977232.7078 (0.0010) C>S --------------------------------------------------------------- HEAD /apps/something HTTP/1.1 User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79:20175 Accept: */* ---------------------------------------------------------------

tried it doesn't work. the problem is that i have four different pools that traffic is suppose to go to on http and https. so if traffic comes in on http -> pool 1 https -> pool 2 /apps https -> pool 3 /apps http -> pool 4 this is the best way i can explain. the other problem i have is that all the backend ports differ as well is this possible...

I think this might cover it; rule myrule { when CLIENT_ACCEPTED { set is_ssl 0 } when CLIENTSSL_HANDSHAKE { set is_ssl 1 } when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/apps" } { if { $is_ssl } { pool foo1 } else { pool foo2 } } elseif { $is_ssl } { pool foo3 } else { pool foo4 } } } The first if checks for the /apps URI, if a match it checks for SSL, if a match, goes to pool foo1, if no SSL, pool foo2. If no match for /apps it checks for SSL, if a match, goes to pool foo3, if no SSL, pool foo4.

thanks it's working last question i swear LOL... how do i change the rule for two URI's /apps and /applicationOracle

Mutiple i-rules on one VS

29 Replies

Angelo
Nimbostratus
Oct 24, 2012
Hi

the problem is that i now got https working http not working... this is the VS, don't know if there is something wrong on it...

ltm virtual vs_mwgen_dev {

destination 10.217.235.25:any

ip-protocol tcp

mask 255.255.255.255

partition CMRB

profiles {

/Common/http { }

/Common/mtn.co.za {

context clientside

}

/Common/serverssl-insecure-compatible {

context serverside

}

/Common/tcp { }

}

rules {

I-rule_MWGen_dev

/Common/CRM

}

snat automap

vlans-disabled

}
nitass
Employee
Oct 24, 2012
have you disabled serverssl (SSL::disable serverside) when using http pool?

SSL::disable wiki

https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx
Angelo
Nimbostratus
Oct 24, 2012
Hi Nitass

not working i'm getting a error

Server Hangup

don't know what it means...LOL
nitass
Employee
Oct 24, 2012
can you post the latest configuration?

tmsh list ltm virtual (name)

tmsh list ltm pool (name)

tmsh list ltm rule (name)
Angelo
Nimbostratus
Oct 24, 2012
but the error changed so i'm getting somewhere.. LOL
Angelo
Nimbostratus
Oct 24, 2012
but the error changed so i'm getting somewhere.. LOL
Angelo
Nimbostratus
Oct 24, 2012

Hi

the VS

destination 10.217.235.25:any

ip-protocol tcp

mask 255.255.255.255

partition CMRB

profiles {

/Common/http { }

/Common/mtn.co.za {

context clientside

}

/Common/serverssl-insecure-compatible {

context serverside

}

/Common/tcp { }

}

rules {

I-rule_MWGen_dev

/Common/CRM

}

snat automap

vlans-disabled

}

the rule

if { (([string tolower [HTTP::uri]] starts_with "/ppms") or ([string tolower [HTTP::uri]] starts_with "/smartwizard-proxy")) } {

if { $is_ssl } {

pool pool_MWGen_dev_backup_https

} else {

SSL::disable serverside

pool pool_MWGen_dev_backup

}

}

elseif { $is_ssl } {

pool pool_MWGen_dev_https

} else {

SSL::disable serverside

pool pool_MWGen_dev

}

}

}

the pools

root@fa-dc-f5-01(Active)(/CMRB)(tmos.ltm) list pool pool_MWGen_dev_backup

ltm pool pool_MWGen_dev_backup {

members {

zaflplmwgenmm01:37101 {

address 10.217.229.4

session monitor-enabled

state up

}

zaflplmwgenmm02:37101 {

address 10.217.229.5

session monitor-enabled

state up

}

}

monitor /Common/tcp

partition CMRB

}

members {

zaflplmwgenmm01:37102 {

address 10.217.229.4

session monitor-enabled

state up

}

zaflplmwgenmm02:37102 {

address 10.217.229.5

session monitor-enabled

state up

}

}

monitor /Common/tcp

partition CMRB

}
nitass
Employee
Oct 24, 2012
are pool_MWGen_dev_backup and pool_MWGen_dev pools running http?
ssievers_87378
Nimbostratus
Oct 24, 2012
Posted By nitass on 10/24/2012 02:08 AM

have you disabled serverssl (SSL::disable serverside) when using http pool?

SSL::disable wiki

https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx

I think its client side. If the VS accepts both http and https traffic, you have to provide the pool with a SSL profile. For this, you may use SSL:disable when the traffic comes on port 80.

Regards,

Sören
Angelo
Nimbostratus
Oct 24, 2012
Hi Nitass

Yes they are http

Forum Discussion

Mutiple i-rules on one VS

29 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

error code 503 redirect irule

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

OWA File Upload URIs for WAF Bypass

F5 AWAF/ASM learning only from Trusted traffic?

F5OS VLAN naming length restrictions

Related Content

i-rule header insert - APM

I-rule for adapt request "response page"

CLI syntax to change i-rule order

How do I know the rule name of the blocked rule ID in AWS F5 WAF?

Custom i-Rule needs further modifcation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS