For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

zski128_101720's avatar
zski128_101720
Icon for Nimbostratus rankNimbostratus
Sep 17, 2010

No HTTP and HTTPs traffic over single VS?

Hello,

 

New to the forums. I am running 9.4.x and I am trying to setup a new virtual server listening on all ports (0). I have a pool of web servers assigned to this VS that are listening on both ports 80 and 443.

 

E,g,

 

10.0.0.1:80

 

10.0.0.1:443

 

10.0.0.2:80

 

10.0.0.2:443...etc.

 

 

My problem is when I try to use a persistence option (ssl, cookie) the virtual server will stop handling HTTP traffic and only allow SSL. If I try to set persistence to cookie, the system requires me to set a HTTP profile which then breaks HTTPs. I would rather not have to create two seperate VS's for this solution (one for 80 and one for 443). Any suggestions?

 

 

Thanks!

 

Rich

 

 

config
design

1 Reply

  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Sep 19, 2010
    Rich: I would absolutely create separate VIPs here, for a few reasons:

     

     

    1) You need persistence, but the services are totally different (even if the app is the same HTTP is different from HTTPS). I'd setup a 80 and 443 vip, terminate ssl, etc.

     

    2) It's more secure this way. Explicitly exposing services is better than a wildcard (port 0) VIP. A wildcard will forward any port back to your servers - not ideal unless you absolutely need to do this.

     

    3) Since 80 and 443 are different services, different vips help you customize profile behavior for a specific service.

     

     

    -Matt