Pool Selection base on HTTPS Request

Interesting question.

 

 

In theory you should be able to do this via iRULE as long as you are terminating the SSL traffic on the F5.

 

 

Do you have a separate Virtual server for https and http or are talking about sharing a single wildcard virtual server?

 

 

Thanks,

 

CB

 

 

 

Here's a similar request which should have the same answer...

 

 

I have separate irules for my http and https VIPs doing identical pool selection but the only difference is that the http irule has some http -> https redireects.

 

 

For ease of management I would like to create a single irule for both http and https.

 

 

What trigger do I use to say if the http_request is http do the redirect to https but skip it if it's not.

hyang...

 

 

I think something like this should work for you. And I may have answered my own question. =)

 

 

when HTTP_REQUEST {

 

set my_uri [string tolower [HTTP::uri]]

 

if { [URI::port [HTTP::uri]] == 443 } {

 

if { $my_uri starts_with "/a"} {

 

pool a_pool

 

}

 

}

 

elseif { [URI::port [HTTP::uri]] == 80 } {

 

if { $my_uri starts_with "/b"} {

 

pool b_pool

 

}

 

}

 

else {

 

pool x_pool

 

}

 

}

Sorry for the formatting. Cut and paste killed it. But it's small enough you should be able to decipher.

You can use TCP::local_port to get the true requested port. I think URI::port and URI::host are intended to be used to parse absolute URIs (typically used when making requests to an HTTP proxy. You could use something like this to check the requested port, disable the client SSL profile if it's not needed and select the pool based on the requested URI:

 
 when CLIENT_ACCEPTED { 
  
     Check the requested port 
    switch [TCP::local_port] { 
       "80" { 
           Disable the client SSL profile 
          SSL::disable 
       } 
       "443" { 
           Leave the client SSL profile enabled 
       } 
       default { 
           Take some action for other ports? For example, send a TCP reset 
          reject 
       } 
  
    } 
 } 
 when HTTP_REQUEST { 
  
     Check the requested URI 
    switch -glob [HTTP::uri] { 
       "/a*" { 
           Check if requested port is 443 
          if {[TCP::local_port]==443}{ 
  
              Select a_pool and stop processing this event in this iRule 
     pool a_pool 
             return 
          } 
       } 
       "/b*" { 
           Check if requested port is 80 
          if {[TCP::local_port]==80}{ 
  
              Select b_pool and stop processing this event in this iRule 
     pool b_pool 
             return 
          } 
       } 
       default { 
           Send to default pool.  This must be defined on port 0, 
     with the pool members configured on the same HTTP HTTPS ports as the virtual server 
          pool x_pool 
          return 
       } 
    } 
     If we made it here, the request was to /a and not via port 443 or to /b and not via port 80, so take some default action? 
    HTTP::respond 403 Content {Unauthorized request} 
 } 
 

Aaron

Aaron,

 

Thanks for your post. Another question - can irule examine the uri if both client and server SSL profile are enable for the vs?

 

If there is a client SSL and HTTP profile, you can use an iRule to inspect and modify the HTTP content including the URI using the HTTP:: commands. Adding a server SSL profile makes no difference for this.

 

 

Aaron

So if client sends a httpS://www.x.com/a request, HTTP:: commands will work as long as the SSL profile is check?

That's correct. You'll need to import the server certificate and key in PEM format, configure them in a client SSL profile and add the profile to the HTTPS virtual server. You'd then be able to use the iRule above or any another HTTP:: commands on the HTTPS virtual server.

 

 

Aaron

Aaron,

 

Thanks for the clarification.