Pass desired node in URL as query param

If you're intending to pass encrypted traffic to an HTTPS server for only this traffic, and all other traffic unencrypted to the default pool, you'd need to apply a serverSSL profile to the virtual and selectively disable SSL on the server side like this:

when HTTP_REQUEST {
  set reencrypt 0
  if { [HTTP::uri] contains "node=alpha" }{
    node xxx.xxx.xxx.xxx 443
    set reencrypt 1
  }
}
when SERVER_CONNECTED {
  if { $reencrypt == 0 }{
    SSL::disable
  }
}

/deb

Thanks for the reply Deb however I'm not sure it's what I want as I'm not splitting the traffic based on http/https I simply want to have the ability to choose which node my http/https request is served by. The code I showed was just my first irule which I was applying to a virtual server which was configured for https traffic I will also need a version for virtual servers which are running http unless I can write a global rule. I hope that makes sense?

Your original iRule is simple enough, but I don't understand the intended traffic flow well enough to give you a specific answer.

 

 

I would start troubleshooting by applying your original iRule to a non-encrypted virtual server and sending to a non-encrypted node, with no ssl profiles applied to the virtual. You will have to ensure the default gateway is configured appropriately or add static routes supporting this outbound traffic, and you may also need to enable SNAT on the virtual if the return path from the server will not naturally traverse the LTM to reverse the destination address translation that happens by default.

 

 

Once you have that working, then you can move on to managing encrypted traffic, for which there are a few additional considerations: For HTTPS traffic, you can only see the request if you are decrypting @ LTM (clientSSL profile applied to the virtual server) and then if you want to send encrypted to the backend, you'd also apply a serverSSL profile.

 

 

A global rule that would handle both is possible, but how manageable it would be would depend on the of different conditions on which you'd need to direct traffic. I'd recommend creating a unique iRule for each virtual that includes only the relevant conditions.

 

 

HTH

 

/deb

Hi Deb,

Thanks again for your help. I've managed to apply my original rule to a non SSL virtual server and it work fine. I slightly modiifed it by adding the elseif so I can choose the node I wish to be re-directed to or none if no query paramas were found.

when HTTP_REQUEST {
  if { [HTTP::uri] contains "node=alpha" }{
    node xxx.xxx.xxx.111 80
  } elseif { [HTTP::uri] contains "node=beta" } {
    node xxx.xxx.xxx.112 80
  }
}

I'm afraid I didn't understand a lot of your commnents so I'm not sure the best way to proceed to the the SSL version working. I'll give you a little more info on our set-up incase that help explain better what I'm trying to do.

We have a number of websites hosted behind the BIG IP, some are HTTP some are HTTPS. The HTTPS certs are installed on the F5's and handled there and then non-encrypted traffic is passed to the web servers. Hopefully this will help.

Thanks

Rob

Ok, thanks for testing & the further clarification -- breaking down the problem into manageable steps like that is very helpful.

 

 

To use the same iRule logic to handle HTTPS requests, all you should have to do is create the virtual server with all the same settings except service port will be 443, and add the clientssl profile. Specify as resources the same pool and the same rule and it should work.

 

 

HTH

 

/deb