Forum Discussion
NimbostratusMutiple i-rules on one VS
Hi
I have a request from a client to create a VS with two rules that need to be aplied to it.. one if traffic comes in on http i should send it to a specific pool if traffic comes in as http i should send it to another pool, thats working the second part is the problem if traffic comes in the /apps* on http send it to a third pool, if traffic comes in on https for /apps* send it to a fourth pool.. i'm not sure how to do this....
29 Replies
- nitass
Employee
as Sören mentioned, do you use same virtual server port for http and https? or do you use different virtual server port (one for http and the other one for https)? 
ssievers_87378Posted By Angelo on 10/24/2012 02:03 AM
Hi
the problem is that i now got https working http not working... this is the VS, don't know if there is something wrong on it...
ltm virtual vs_mwgen_dev {
destination 10.217.235.25:any
ip-protocol tcp
mask 255.255.255.255
partition CMRB
profiles {
/Common/http { }
/Common/mtn.co.za {
context clientside
}
/Common/serverssl-insecure-compatible {
context serverside
}
/Common/tcp { }
}
rules {
I-rule_MWGen_dev
/Common/CRM
}
snat automap
vlans-disabled
}
Hi,looks like one VS for any port...
Try this:
when CLIENT_ACCEPTED{
if { [TCP::local_port] == 443 }{
SSL::enable
} else {
SSL::disable
}
}
when HTTP_REQUEST {
if { (([string tolower [HTTP::uri]] starts_with "/apps")
or ([string tolower [HTTP::uri]] starts_with "/global")
or ([string tolower [HTTP::uri]] starts_with "/whatever")) } {
if { [SSL::mode] == 1 } {
pool foo1
}else{
pool foo2
}
} elseif { [SSL::mode] == 1 }{
pool foo3
} else {
pool foo4
}
}
AngeloHi ssievers
It's going to the correct pool but i still cannot connect on port 80 now it just hangs..- ssievers_87378Hi,
so https works fine and http selects the right pool, but there is no response ? Can you verify on the target node if there is something in the access.log ?
It looks like a problem with the response to the client or the communication between F5 and nodes. Maybe we have also to disable the SSL on responses...
Regards,
Sören - ssievers_87378Maybe you have to extend the rule like this:
when CLIENT_ACCEPTED{
if { [TCP::local_port] == 443 }{
SSL::enable
} else {
SSL::disable
}
}
when HTTP_REQUEST {
if { [SSL::mode] == 1 } {
set usessl 1
} else {
set usessl 0
}
if { (([string tolower [HTTP::uri]] starts_with "/apps")
or ([string tolower [HTTP::uri]] starts_with "/global")
or ([string tolower [HTTP::uri]] starts_with "/whatever")) } {
if { $usessl == 1 } {
pool foo1
}else{
pool foo2
}
} elseif { $usessl == 1 }{
pool foo3
} else {
pool foo4
}
}
when HTTP_RESPONSE {
if { $usessl == 1 }{
SSL::enable
} else {
SSL::disable
}
} - Angelothanks it working...
- ssievers_87378Finally I know the problem.
You have one VS listening on any port and for handling SSL Requests, there is a SSL Client Profile in your VS. Unfortunately, - I think - the VS is trying to use this profile for every request regardless of the incoming port. In this case you have to disable the use of SSL everywhere you do not need it.
It will be much easier, if you make two VS, one for SSL handling listening only on port 443 with SSL profile and another VS for http requests listening only on port 80 without SSL profile.
For each of this VS you can use separated slim irules to select a diferent pool when specific URIs are reqested. For any other request, there is the default pool of the VS in the gui.
Maybe next time ;-) - Angelo
the problem with using two VS is that i will one DNS name pointing to a single IP.. if i try to create another VS on the same IP it work on 443 but not 80
- ssievers_87378Hi,
this is no problem. You can have one VS for every Port on the same IP.
Regards,
Sören
